EFF Border Search 0

8/3/2019 EFF Border Search 0

1/24

Deending Privacyat the

U.S. Border:A Guide or Travelers

Carrying Digital Devices

By Seth Schoen, Marcia Homann

and Rowan Reynolds

December 2011

ELECTRONIC FRONTIER FOUNDATIONeff.org
http://eff.org/http://eff.org/


2/24

1ELECTRONIC FRONTIER FOUNDATION EFF.ORG

Table o ContentsWhy Can My Devices Be Searched at the Border? ........................................3

How the Government Searches Devices at the Border ................................4

Deciding How to Protect Your Data ...............................................................5

Some Basic Precautions ...................................................................................................6

Backups ..................................................................................................................................7

Backups Using the Internet ........................................................................................7

Backups Using an External Hard Drive ...................................................................8

Minimizing Data You Carry .............................................................................................9

The Challenges o Secure Deletion ....................................................................... 10

Operating System on an SD Card .......................................................................... 11

Encryption ......................................................................................................................... 11

Account Passwords Versus Full-Disk Encryption .............................................. 12

Choosing a Disk Encryption Tool ........................................................................... 13

Choosing a Secure Passphrase ............................................................................... 13

Border Agent Demands or Access to Data ....................................................... 15

Technology-specifc Considerations ........................................................................ 16

Flash Drives.................................................................................................................... 16

Mobile Phones and Similar Devices ..................................................................... 16

Temporary Phones or Travel .................................................................................. 16

Secure Deletion o Data and Disk Encryption or Mobile Devices ............ 17

Digital Cameras ............................................................................................................ 17

Interacting with Border Agents .................................................................. 17

Dont Lie .......................................................................................................................... 18

Dont Obstruct an Agents Investigation ............................................................. 18

Courtesy ......................................................................................................................... 18

Appendix ...................................................................................................... 19

Endnotes ...................................................................................................... 20


3/24


Authors: Seth Schoen, Marcia Homann and Rowan Reynolds

Editing: Rainey Reitman and Mark Jaycox

Graphics and layout: Hugh DAndrade

A publication o the Electronic Frontier Foundation, 2011

Copyright:

Deending Privacy at the U.S. Border: a Guide or Travelers Carrying Digital Devices is licensed un-

der a Creative Commons Attribution 3.0 Unported License unless otherwise noted.
http://eff.org/http://creativecommons.org/licenses/by/3.0/http://creativecommons.org/licenses/by/3.0/http://eff.org/


4/24


Deending Privacy at the U.S. Border:A Guide or Travelers Carrying Digital Devices

Our lives are on our laptops amily photos, medical documents, banking inormation, detailsabout what websites we visit, and so much more. Tanks to protections enshrined in the U.S.

Constitution, the government generally cant snoop through your laptop or no reason. Butthose privacy protections dont saeguard travelers at the U.S. border, where the U.S. govern-ment can take an electronic device, search through all the les, and keep it or a while orurther scrutiny without any suspicion o wrongdoing whatsoever.

For doctors, lawyers, and many businessproessionals, these border searches can com-promise the privacy o sensitive proessionalinormation, including trade secrets, attorney-client and doctor-patient communications,research and business strategies, some o

which a traveler has legal and contractual obli-gations to protect. For the rest o us, searchesthat can reach our personal correspondence,health inormation, and nancial records arereasonably viewed as an aront to privacy anddignity and inconsistent with the values o aree society.

Despite the lack o legal protections againstthe search itsel, however, those concernedabout the security and privacy o the inorma-tion on their devices at the border can usetechnological measures in an eort to protecttheir data. Tey can also choose not to takeprivate data across the border with them at all,and then use technical measures to retrieve itrom abroad. As the explanations below dem-onstrate, some o these technical measures aresimple to implement, while others are complexand require signicant technical skill.

Why Can My Devices Be Searched at the Border?Te Fourth Amendment to the United States Constitution protects us against unreasonablegovernment searches and seizures. Tis generally means the government has to show a courtprobable cause that a crime has been committed and get a warrant beore it can search a loca-tion or item in which you have a reasonable expectation o privacy. But searches at places wherepeople enter or leave the United States may be considered reasonable simply because theyhappen at the border or an international airport.

Several ederal courts have considered whether the government needs any suspicion o criminal

Why might people want to protect

their data at the border?

Businesstravelers,lawyers,doctors,or

other proessionals may have con-

dential or privileged inormation on

their laptops that they dont want oth-ers to see or that they are obligated by

law or contract to protect.

Peoplemayhavesensitivepersonal

inormation on their devices such as

medical records, nancial documents,

and years o correspondence with am-

ily, riends and business associates.

Sometravelersmayhaverepeateddif-

culties crossing the border, and wish

to take proactive steps to protect their

data in light o their past experiences.

Somemayfeelasamatterofprinciple

that the government shouldnt be

able to view their private inormation

simply because they choose to travel

internationally.


5/24


activity to search a travelers laptop at the U.S. border. Unortunately, so ar they have decidedthat the answer is no.1 Congress has also weighed several bills to protect travelers rom suspi-cionless searches at the border, but none has yet passed.2

For now, a border agent has the legal authority to search your electronic devices at the bordereven i she has no reason to think that youve done anything wrong.

How the Government Searches Devices at theBorderTere are two government agencies primarily responsible or inspecting travelers and itemsentering the United States: the Department o Homeland Securitys Customs and Border Pro-tection (CBP) and Immigration and Customs Enorcement (ICE). (Occasionally, CBP or ICEcan make special arrangements to question a passenger departing rom the United States orinspect her belongings, but neither agencyroutinely does so.)

Te law gives CBP and ICE agents a great

deal o discretion to inspect items com-ing into the county. While its impossibleto know or sure how theyll handle everyborder search situation, agencies havepublished their policies or searching elec-tronic devices and data.

CBP tells its agents that with or withoutindividualized suspicion, they can inspectelectronic devices and data encounteredat the border.3 Te agency can keep your

computer or copies o your data or abrie, reasonable amount o time to besearched on- or o-site. Ordinarily, thisisnt more than ve days.4 CBP recognizesthat agents might run across privileged orsensitive inormation stored on devices,but does not clearly explain the proceduresor handling it.5 When CBP agents experi-ence technical diculties or encounter in-ormation that is encrypted or written in aoreign language, they may send the device

or a copy o the data to other governmentagencies that might be able to help accessthe inormation.6 Border agents dont needany suspicion o wrongdoing to seek thisassistance,7 and its unclear whether thecooperating agencies can keep copies o thedata they receive indenitely.

Which Three-Letter Acronym Was That

Again?

The Department o Homeland Security(DHS) has several departmental missions,

including to secure[] the nations air, land and

sea borders to prevent illegal activity while

acilitating lawul travel and trade. Department

o Homeland Security Missions and Responsi-

bilities, http://www.dhs.gov/xabout/responsi-

bilities.shtm (last visited Oct. 4, 2011).

Customs and Border Protection (CBP) is

the primary agency that inspects and searches

travelers entering the United States. For exam-

ple, when you arrive in the U.S., you can expectto be interviewed at the border by a CBP agent

and to present your Customs declaration to

another CBP agent.

Immigration and Customs Enorcement

(ICE) investigates violations o laws related

to borders. Although ICE has border search

authority, it isnt routinely involved in searching

or interviewing travelers at ports o entry.

The Transportation Security Administra-

tion (TSA) is responsible or transportation

security within the United States, and does notperorm searches at the border. Normally, TSA

searches travelers beore they board a plane,

not ater they land. You can expect to be

searched by TSA when departing the U.S. by

air, but the screening TSA perorms is usually

identical or domestic and international pas-

sengers.
http://eff.org/http://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://eff.org/


6/24


Like CBP agents, ICE agents may inspect electronic devices and the inormation on themwith or without individualized suspicion.8 ICE will typically complete searches o devicesand copies o data within 30 days,9 though anecdotal reports suggest that travelers devices aresometimes detained or signicantly longer periods o time.10 ICEs policy, like CBPs directive,says that agents may seek technical assistance rom others to translate or decrypt data,11 and issimilarly vague about how agents should handle privileged or sensitive inormation.12

Beyond seizing the device at the border, the government may take a device to a location away

rom the border or urther inspection.13 I this occurs, searches o devices that are conducted ata time and/or place removed rom the initial border stop can become extended border searchesthat require reasonable suspicion o wrongdoing or even regular searches that require a prob-able cause warrant.14

In short, border agents have a lot o latitude to search electronic devices at the border or takethem elsewhere or urther inspection or a short period o time, whether or not they suspect atraveler has done anything wrong.

For now, the government searches only a small percentage o international travelers electronicdevices. According to documents obtained by the American Civil Liberties Union through theFreedom o Inormation Act, more than 6,500 people traveling to and rom the United States

had their electronic devices searched at the border between October 2008 and June 2010, anaverage o more than 300 border searches o electronic devices a month. Almost hal o thosetravelers were U.S. citizens.15 Tis means that these searches are a regular occurrence, but onethat most travelers will never encounter given the number o travelers who cross the bordereach month.

Te requency o technology-oriented searches at the border may increase in the uture. Re-searchers and vendors are creating tools to make orensic analysis aster and more eective,and, over time, orensic analysis will require less skill and training.16 Law enorcement agenciesmay be tempted to use these tools more oten and in more circumstances as their use becomeseasier.

Deciding How to Protect Your DataDierent people will choose dierent kinds o precautions to protect their data at the borderbased on their experience, perception o risk, and other actors. There is no particular ap-proach we can recommend or all travelers. Tese are some o the considerations youmight take into account:

Your citizenship, immigration, or residence status. I you are not a U.S. citizen, you maybe more easily denied entry into the country, and so you may want to be especially careulto avoid situations where border agents might consider you uncooperative or taking stepsto protect your data or politely reusing to provide encryption passwords.

Time sensitivities. Is it important or you to reach your destination by a certain time?I border agents hold you up with questioning or attempts to search your devices, it maywreak havoc on your travel schedule.

How much hassle youre willing to tolerate rom border agents. I you want to secureyour data but are uncomortable about the possibly o appearing uncooperative with borderagents, it might be best to avoid such awkward situations all together. For example, you


7/24


might choose to take a blank device overthe border and download your data onceyou reach your destination rather thanace an uncomortable interaction witha border agent who wants to search thedata on your device.

How important it is or you to have ac-

cess to your data during your journey.Consider whether youll need your datawith you on the plane, or whether youcan wait until youve crossed the borderto access it.

How good your Internet access will beduring your travels. I youll have accessto lots o bandwidth, you might be ableto download the data you need once youreach your destination.

The countries youve visited beoreentering the United States. ravel tocertain countries may draw additionalscrutiny rom border agents.

Your history with law enorcement. Iyou are subject to an ongoing investiga-tion or otherwise under suspicion or any reason, you may be screened or questioned moreintensively.

Some Basic Precautions

All computer users who carry important inormation on portable devices should be aware otwo basic precautions:

Makingregularbackups,whichensuresthatyourimportantinformationstaysavailabletoyou i your computer is ever taken rom you, lost, or destroyed. (I you dont have access toyour computer, youll still have access to your data.)

Encryptingtheinformationonthecomputer,whichensuresthatyourinformationstayscondential rom other people whom you dont authorize to access it. (I you lose control oyour computer, other people wont have access to your data.)

In the inancy o personal computing, experts put particular emphasis on the need to make

backups. oday, we think these two precautions are really halves o a larger whole: making surethat that inormation stays available to those you want to have it, and that its not available toothers. Applying these precautions can help you deal with travel incidents well beyond thecomparatively unusual case o border searches, like i you leave a laptop in a taxi or i someonesteals your backpack or purse rom a ca.

Te right time to get started with both o these precautions is beore your trip, when youre athome or at work and have more time and greater access to other people who can help you getset up appropriately.

Case Scenario: Business Concerns

Alice is a requent business traveler who o-

ten needs access to proprietary inormation

that her company considers highly sensitive

and condential. When she travels or work,

she takes a special laptop that contains the

minimum inormation necessary or her

trip. Beore she leaves the country, she uses

strong cryptography to encrypt that inor-

mation. She also sets up two separate log-in

accounts on the computer: a protected

account where the encrypted les may be

accessed, and a separate account or other

uses o the laptop. Anyone who wants to

view the condential data must log in to

the protected account and then decrypt

the les. Only Alices employer knows the

passwords to the account and encrypted

data, and the companys IT department

sends the passwords to her in an encrypted

email message so that she can access the

data abroad. Beore she returns to the U.S.,

she securely wipes her laptop.


8/24


Tere are also other more elaborate precautions which you might nd useul. Ater discussingthe basics, well suggest several o these below. Note that many o the precautions we will dis-cuss address the possibility that your electronic devices are taken away rom you, and examinedor hours by a trained expert. For travelers who eel that this is an important concern, its worthunderstanding what the capabilities o that expert examiner may be.

Backups

Every year millions o computer users lose important inormation accidentally or want o agood, current backup, so there are many good reasons other than the possibility o a bordersearch or seizure or you to have a current backup. In modern practice, backups are most otenmade onto another computer over a network. (See our discussion o on-line service privacy inthe next section Backups Using the Internet.) You can also back up to an external hard drive,which can be extremely quick and easy.

Backups are especially important or travelers, since, aside rom the possibility o a bordersearch or seizure, travel presents many opportunities or losing your computer or data.

Backups Using the Internet

When youre backing up your computer over a network, bear in mind that

Yourconnection to the server should be encrypted to prevent eavesdropping that wouldreveal the contents o your backup.

econtent o your backups should also be encrypted so that the backup service itselcant read them. (Currently, only a ew services automate this process or you.)

Yourbackupsshouldbefrequent,especiallywhileyouretravelingawayfromhome.eycan be incremental so that only things that have changed since your previous backup areactually transmitted over the network.

YourInternetaccesswillneedtobeast enough to transer the amount o inormationyou have to back up in the time you have available.

Storing inormation with an online service, sometimes also called a cloud service, is a popularchoice today; it may have signicant benets or reducing the amount o data that could beexposed to a border search. For instance, you could keep your email with a webmail providerand not on your laptop, or edit documents on a network service like Google Docs, or store leswith a service like SpiderOak instead o on your computer. Devices like Chromebooks can dothis automatically so that you rarely physically store inormation on a laptop at all. Relying onnetwork services and network storage has both advantages and disadvantages or privacy.

Pro: Data is not stored on your device, is not actually carried across the border, and is not

subject to a physical border search. You can truthully tell agents that the data is simply notpresent on your device at all; you are not carrying it with you.

Con: Some data that you store with a third-party online service provider in the United Statesenjoys less legal protection than data you store on your own computer.

You can get the best o both worlds when you encrypt your data separately beore storing itwith a cloud storage provider. Ten the cloud storage provider does not know the inormationrequired to decrypt the data, so it cant access your data at all. Some cloud storage providers likeSpiderOak17, arsnap18, and Wuala19 make this kind o protection a standard part o their ser-


9/24


vices, while tools like Duplicity20 and ahoe-LAFS21 let you set up your own encrypted backupinrastructure.

I you decide to move some les into cloud storage beore crossing the border rather thankeeping your les there all along, remember that merely deleting les wont always remove theirnames or contents rom your device. See Te Challenges o Secure Deletion, below.

Backups Using an External Hard Drive

You can also easily make a backup onto an external hard drive instead o (or in addition to) anetwork server. Tis hard drive can, and should, be encrypted so that only someone who knowsthe proper passphrase can read its contents. In general, store and transport your backup andyour computer separately. In particular, we recommend you dont carry your backup acrossthe border at the same time as the computer its backing up!

Remember that backups can take time, so plan accordingly. Using a USB connection, a 60 GBlaptop drive could take over 15 minutes to back up (probably longer), while a 1 B drive could

take around ve hours. You can use incremental backups together with encryption to makethetimeabitshorter.USBspeakdatarateis60MB/s(forUSB2,thelatestversionyoucanassume is widely supported), so plan ahead and use incremental backups where appropriate.Note that current computers might let you connect external drives using Firewire, or eSAAinteraces as well, although the most universally compatible is USB, which is also the slowest(unless you have USB 3, which is still uncommon as o mid-2011).

A 2 B external drive (sel-contained and ready to use) is relatively cheap and is probably morethan sucient or a complete encrypted backup o any computer youre likely to use. You can

Hard Drive Image BackupsI you have a large external hard drive at home, you can make a byte-or-byte image copy o

your laptop hard drive beore your trip; then you can install a resh operating system or travel

purposes, overwriting the laptop contents. When you return home, you can restore the image

copy onto your laptop (overwriting the travel operating system) and pick up where you let

of.

Regardless o what operating system you usually run, you can do this most easily with a Linux

live CD. (This operation happens below the level o the operating system, so it can be used

on any operating system.) The external drive to which you make the backup should itsel be

encrypted, because the backup contains all o the inormation rom your hard drive (includ-

ing things you may think are deleted, and including saved passwords and authorization

credentials) in a usable, accessible orm.

Note that making or restoring a ull-drive backup can take a long time; its usually limited by

the capacity o the connection to the external hard drive and could be up to several hours or

a large laptop drive.

Since hard drive sizes have been growing aster than Internet connection speeds, image

backups over the Internet are unlikely to be easible except in the most highly Internet-

connected places. (An Internet-based image backup is similar to swapping hard drive images

onto an external disk, except that the external disk isnt physically plugged into the local com-

puter but is located somewhere else. Encryption should be used to protect the hard drives

contents.)


10/24


also get an enclosure to turn an internal hard drive into an external hard drive. High-qualityenclosures are also relatively inexpensive and protect the internal drive against physical damage,as well as providing power and making it easy to plug and unplug the drive.

Minimizing Data You Carry

One strategy or protecting your data when traveling is to minimize how much data you carry.Tis can be as simple as choosing not to bring a device which may hold sensitive data with youduring a border crossing, or it can involve removing data you dont want border agents to ac-cess. Tere are a wide variety o ways to eectively remove data, depending on the devices andnetwork access that you have.

One approach is to physically remove the hard drive rom your laptop beore your trip. Youmight purchase a separate laptop hard drive or travel purposes and install a resh operat-ing system on it. Ten you can switch hard drives beore and ater your trip and pick up whereyou let o when you get back home.

Alternatively, you can remove your hard drive beore your trip and use your computer with

no hard drive at all (by starting an operat-ing system rom a CD, USB drive, or SDcard). See the Operating System on an SDCard section below or a more detaileddiscussion. Instead o storing les on a harddrive, you can store them on a USB or SDmedium or on a network server that youaccess via an encrypted connection. Again,in this scenario, you can put your normallaptop hard drive back in when your trip iscomplete. In any case, you can ensure that

the inormation on your laptop while youretraveling is minimized and that you haveonly the inormation youll need during thetrip.

You could also use an inexpensive travelcomputer on which, by design or by prac-tice, you avoid saving les, instead storingthem in the cloud on network servers. A

Case Scenario: Doctor Condentiality

Akina is a doctor in Japan. She is traveling to the United States with her young son to attend

a relatives wedding. She wants to ensure that she can access any email messages that herpatients send her while she is abroad, and considers it critical to protect the condentiality

o those messages. On the other hand, she doesnt want any conrontation with the border

agents she worries that being detained will upset her child, and, i they are reused entry,

they will miss the wedding. Akina chooses not to carry a laptop at all. Instead, beore her trip,

she mails a travel laptop to her relative in the United States. Ater the wedding, she securely

wipes the laptop and takes it back to Japan with her.

Case Scenario: Philosophical

Grounds

Howard rmly believes as a matter o prin-

ciple that the government has no business

siting through the contents o his laptop,

and hes willing to stand up or that belie.

He is entering the United States ater travel-

ing around Asia or three months. He backs

up his data on a remote server beore his

trip. He also uses strong cryptography toencrypt his hard drive and chooses a strong

passphrase. I the border agents ask him

or the passphrase, he intends to say no. He

knows this might cause the agents to seize

the laptop, but they are unlikely to break the

password, and he can still have access to the

inormation on the laptop because he has

stored it remotely.


11/24


traditional netbook is suitable or this, while a Chromebook running ChromeOS helps au-tomate the process. (Bear in mind that common application sotware could leave orensicallyrecoverable data on the local hard drive even i you normally only save les on network servers.)Tey could make good investments or requent travelers. Note that, i you do consider usingcloud data storage, its important to keep in mind the privacy concerns associated with giving aservice provider access to your data; or instance, though Chromebooks store little data locally,Google can access the inormation these devices store in Googles cloud service. We discuss

these issues in Backups Using the Internet, above.As a way o limiting what they physically carry across an international border, some travelerswill send computers, hard drives, USB fash drives, or SD cards through the mail or othershipping service. Te legal protection aorded to computers and data sent via internationalmail is not appreciably better than at border crossings,22 but travelers can at least know thatthey wont be questioned about those devices while they and the devices are both under borderagents control.

The Challenges o Secure Deletion

Simply deleting data rom your hard drive with your normal OS le deletion eatures is notsecure and the data is still present and recoverable on your hard drive. Just because deletedles are no longer visible in your operating systems le manager does not mean that a orensicexpert cant undelete them or deduce that they were once present. Te orensic sotware willexamine the bytes actually stored on disk, which contain much more inormation than youroperating system shows you.

Even i you delete les securely when uploading them, there might still be local traces o thoseles contents because o cached copies, metadata, and swap space issues.23 For example, lenames o cloud-stored les may still be mentioned on your hard drive. Perhaps copies o someo them are temporarily downloaded while youre working on them, and the local traces or eventhe complete contents would then be visible with appropriate orensic sotware.

Securely erasing les requires overwriting them, not just pressing delete in the user interaceor emptying an electronic wastebasket. As Simson Garnkel explains, it also doesnt work tojust ormat a hard drive on most systems.24 Remember: an action may appear to erase or sani-tize data, but may be easily undone by a knowledgeable orensic examiner.25

You can use DBAN26 to delete entire laptop hard drives (or external hard drives or memorycards) saely. According to more recent research, multiple-pass overwriting (something ex-tensively promoted during the 2000s) is probably not necessary. Tis is important becausemultiple-pass overwriting oten takes most o a ull day and has discouraged people rom usingsecure deletion tools, especially i theyre in a hurry. Single-pass overwriting in a correctly-im-plemented secure deletion tool is qualitatively much better than nothing, and especially muchbetter than deciding not to overwrite data at all because o the time it would take!

Tere are some types o sotware known as secure le deletion utilities or Secure Emptyrash which might be be useul or erasing individual les saely. However, in moderncomputing environments, these methods are not necessarily ail-sae when aced with expertorensic analysis. We do not recommend that you rely on them or removing your sensitivedata rom a device.

Some operating systems have a useul way to clear ree space on a disk. I your system hasthis eature, it helps make most kinds o deleted data hard to undelete, but deleted regions or


12/24


data within les or databases may not be purged i the les or databases themselves still exist.For example, clearing ree space should prevent the undeletion o deleted les, but perhaps notundeletion o deleted emails and web history i they were stored inside o larger les that stillexist.

A perennial problem is that many kinds o application sotware invisibly leave traces behindwhen you open or work with les. For example, applications might make a temporary copy, orlist a les name in a Recently used documents list. Forensic sotware is written to be aware o

these traces and search them out. Tis is also a substantial risk or people who use disk en-cryption to protect data on removable storage devices.27 With this concern in mind, the mostprudent course would be to assume that some trace o any les viewed or edited on a particu-lar computer could still be present on that computers hard drive. Tats why using ull-diskencryption is, according to some researchers, the saest strategy (although less helpul i youanticipate turning over your passphrase i asked).

Operating System on an SD Card

On the most modern laptops, its possible to use an SD card like a hard drive; thus, you canchoose to use an SD card in place o a conventional hard drive and keep your entire operatingsystem and all your data on on it. (You should still use disk encryption or the data on the SDcard.) Since you can keep the SD card in your pocket or wallet when its not in use, its con-siderably harder or someone to take it rom you without your knowledge or tamper with it(although, since its so tiny, its much easier to lose).

You can also easily prepare several dierent operating system images on separate SD cards,or separate purposes or separate trips. In this case, its easier to send them in the mail or eveneasily erase or destroy a card when you no longer need it. Privacy expert Chris Soghoian, whodescribed this technique, reports that his laptop gets better battery lie when he uses an SDcard in place o a hard drive28.

You can even use the same SD card in a digital camera or taking photos, so that a single card

serves both as your camera storage medium and your encrypted hard drive.

Encryption

Disk encryption protects your data i your computer is ever lost or stolen during your travels,so its a useul precaution even or people who plan to cooperate completely with border agentsrequests or assistance in inspecting devices. Also, using encryption can help ensure you knowwhether your computer was actually searched, because you are in the loop a successulsearch will not happen without your knowledge. I you dont use ull-disk encryption, borderagents can search your computer in another room and you wont necessarily know whether thishas happened, because they will not require your cooperation.

Account Passwords Versus Full-Disk Encryption

People oten decide that they need to set a password on their computer in order to protecttheir data. Tis intuition is right, but the details matter quite a lot; not all ways o setting apassword provide the same kind o protection, and many dont involve any encrypton.

An account password or screen-lock password is enorced by the operating system code.Te operating system is congured to ask or the password and wont allow access unless theright one is provided. But the data is still simply present on the hard drive. An account pass-


13/24


word is easily bypassed by accessing the same disk using a dierent operating system, whichwont require that the correct account password be entered. Alternatively, the hard drive couldbe physically removed rom the computer and read using a dierent computer; again, no pass-word would be needed.

By contrast, disk encryption uses mathematical techniques to scramble data so it is unintel-ligible without the right key. Tis mathematical protection works independently o the policiescongured in the operating system sotware. A dierent operating system or computer can-not just decide to allow access, because no computer or sotware can make any sense o the datawithout access to the right key.

Tis distinction makes a major practical dierence. Bypassing an account password is a routineoperation that can be done automatically with orensic sotware that bypasses the operatingsystem and looks directly at the disk, interpreting its contents or the orensic analyst; youraccount password is no obstacle or this orensic sotware. CBP, ICE and other ederal lawenorcement agencies have sta with extensive training in the use o orensic sotware and areprepared to use it i they think the contents o your computer are interesting enough.

Fortunately, modern computer systems come with comparatively easy ull-disk encryption toolsthat let you encrypt the contents o your hard drive with a passphrase that will be requiredwhen you start your computer. Using these tools is the most undamental security precaution orcomputer users who have confdential inormation on their hard drives and are concerned aboutlosing control over their computers not just at a border crossing, but at any moment during a tripwhen a computer could be lost or stolen.

Threats to Disk Encryption

Full-disk encryption is not an impregnable solution to all concerns about data privacy. It

could conceivably be bypassed in certain ways:

Bybreakingintoyourcomputerwhileyoureusingit(withaTrojanhorseorspearphish-

ing, or exploiting a vulnerability in sotware that you use).

Withacold boot attack

i the attacker has control o your computer while its turned on,ater youve already entered your passphrase (even i the screen is locked or the comput-

er is in suspend mode).

Withanevil maid attacki the attacker has control o your computer while its turned of

and you use it later on without realizing the attack has happened.

Bylearningyourencryptionpassphraseorkeywithhigh-techsurveillancetechniques

(such as video surveillance or emanations monitoring).

A simple precaution against cold boot attacks at the border is available. You should always

turn o your computer (physically power o, not suspend or hibernate, and not

just closing the lid) beore crossing the border. I a computer is on and you have previ-

ously entered the disk encryption passphrase, there are techniques or extracting it directly

rom the computers memory (even i the screen is locked). Powering the computer of pre-

vents these techniques rom working.


14/24


Choosing a Disk Encryption Tool

Choosing encryption tools is sometimes chal-lenging because there are so many options avail-able. For the best security, choose a ull-disk en-cryption tool that encrypts everything on yourcomputer rather than a le-encryption toolthat encrypts individual les separately. Tis

may need to be set up at the time your operatingsystem is rst installed. Every major operatingsystem now comes with encryption options.

MicrosoftBitLockerinitsmostsecuremode is the gold standard because it pro-tects against more attack modes than othersoftware.Unfortunately,Microsofthasonlymade it available with certain versions oMicrosoftWindows.

TrueCrypthasthemostcross-platformcompatibility.

MacOSXandmostLinuxdistributionshave their own ull-disk encryption sotwarebuilt in.

For more detailed inormation about the advan-tages and disadvantages o various tools, consultthe Wikipedia article on comparison o ull-diskencryption sotware.29

Choosing a Secure Passphrase

Unlike other passwords, cryptographic passwords specically need to be long and extremelyhard to guess. Tis is because a computer (or a cluster o many computers) can be pro-grammed to try trillions or quadrillions or more o possibilities automatically. I the passwordis too short or otherwise constructed in too predictable a way, this brute orce guessing ap-proach will eventually succeed in cracking the password by trying every possibility.

Approaches to choosing encryption passwords that dont take account o this reality are obso-lete. For instance, many users have historically been trained to use random passwords around7-8 characters and containing letters, numbers, and punctuation marks, like these:

1rThlr9 &&0HxEV iq#tW}i7 9/NKgKaI G>oX/7Ip s@;30:[E

Tese passwords are certainly hard to remember and hard or a human being to guess, buttheyre simply not sae enough as cryptographic passwords against modern crypto-cracking de-vices, which would easily be able to guess each o them. In 1999, EFF built a crypto-crackingmachine that could try 256 possibilities in under three days.30 Tats about enough to try everynine-letter password made o letters, numbers, and punctuation. Bear in mind that this was anon-prot organizations proo-o-concept project rom twelve years ago! Its a certainty thatgovernment agencies can crack even longer passwords with ease today.

Fortunately, modern practice provides useul alternatives. Instead o using a single word as an

Case Scenario: Documentary Film-

maker

Bill is a lmmaker who has made several

documentaries over the past ew years

about the eforts o authoritarian govern-ments to suppress dissent in their na-

tions. He traveled to a couple o Middle

Eastern countries last year, and has aced

heavy questioning at the U.S. border ever

since.Heisworkingonanewprojectin

Tunisia, where he lmed interviews with

several dissidents, and he wants to do

everything possible to protect the con-

dentiality o this ootage. He needs to

transport several hundred GBs o video

into the United States rom Tunisia. His

Internet access is not good, so uploadingit to a remote server is not a realistic op-

tion. Bill chooses to store the encrypted

video les on discs with a strong pass-

phrase and asks a riend to mail them to

him in the United States. Then he secure-

ly wipes his laptop and brings it back into

the United States with him.


15/24


encryption password, its now normal to use a long text called a passphrase.31 Arnoud Engel-riet denes a passphrase this way:

A passphrase is a sentence or phrase used instead o a single password. Because o itslength, a passphrase is more secure than a password. By using a phrase, it still is easy toremember.32

While some traditional advice emphasizes (correctly) that one should not use a dictionary

word as ones password, modern practice shows that using multiple dictionary words in onespassphrase is useul. Our calculations conrm that relatively short series o truly randomlychosen English dictionary words are secure; many people nd these somewhat more memo-rable. Te important thing is to choose enough words and to choose them in a random way.A useul technique or choosing secure passphrases with combinations o words is calledDiceware; this approach was devised by Arnold G. Reinhold.33 Te Diceware approach canbe carried out with actual physical dice, or using any o a variety o sotware applications, andoers a complete recipe or making sae and memorable passphrases.

A major advantage o passphrases made o words is that its oten possible to think o a mne-monicthatallowsyoutoeasilymemorizeyourpassphrase.RandallMunroesxkcdcomicshows a typical example or the Diceware-like phrase correct horse battery staple34: a horse is

being congratulated on correctly identiying a staple protruding rom a battery.

Note: this phrase, while memorable, is likely not long enough to be truly secure against

cracking by specialized encryption-cracking tools or machines, since Munroes advice

doesnt aim to protect against this kind o attack. A strong passphrase would be longer

or incorporate words roms a larger word list, like: exultantly barnacle slipshod Vancou-

ver rumble. This is also memorable! The Diceware article discusses in more detail how to

ensure your passphrase is long enough.


16/24


Another popular modern approach is to use a phrase, sentence, song lyric, poem, or long acro-nym that has been modifed in an unguessable way, such as by changing the spacing, punctuation,spelling, or capitalization in an idiosyncratic way, or altering the topic o the text or combiningseveral unrelated texts together.35

When encryption passphrases are orgotten, the disk contents will become completely unus-able. By design, the disk encryption sotware author is unable to override or bypass the protec-tion. Some systems like BitLocker suggest making a spare copy o the passphrase and storing

it somewhere sae and inconspicuous, physically distant rom the computer it protects. Tereare also technologies or allowing multiple people to share parts o the passphrase so that itcan only be recovered i several o them cooperate (usually, implementations o Shamirs SecretSharing Scheme, such as the ssss36 and Secret Sharp37 sotware). I you worry that you mightorget your passphrase, you could use this sotware to securely split it into pieces and store thepieces in dierent places.

Border Agent Demands or Access to Data

I a border agent asks you to provide an account password or encryption passphrase or todecrypt data stored on your device, you dont have to comply. Only a judge can orce you toreveal inormation to the government, and only to the extent that you do not have a valid FithAmendment right against sel-incrimination.38

However, i you reuse to provideinormation or assistance uponrequest, the border agent mayseize your device or urther in-spection or consider you uncoop-erative, which the agent may takeinto consideration when decidingwhether to allow you to enter theUnited States.

I you are planning to bringencrypted or password-protectedinormation over the border, itsbest to decide ahead o time howyou would respond to a borderagents request or help to inspectdata. Te best answer or yourparticular circumstance may beto cooperate or to politely decline to provide inormation. You could also choose to avoid thesituation altogether by bringing a blank device over the border and downloading your data once

you reach your destination.Another option is to generate a long and not-very-memorable encryption password beore yourtrip, and then have someone else hold onto it and send it to you later, ater youve crossed theborder. Tis might be especially practical with a work computer i you have support rom an Idepartment at your workplace, because the I department could hold onto the password oryou and let you know it when you check in with them again.39

For more advice on dealing with agents at the border, see the section titled Interacting withBorder Agents.

TrueCrypt Hidden Volumes

The TrueCrypt encryption sotware tries to provide

deniability by letting you create multiple en-

crypted disks protected by separate passwords in

such a way that the existence o additional hidden

data cant be easily proven or disproven. These ad-

ditional encrypted disks are known as hidden vol-

umes. Although TrueCrypt hidden volumes may

have some practical applications, we think theyare unlikely to be useul in the border search

context because they are most helpul when lying

to someone about whether there is additional hid-

den data on a disk. Lying to border agents is not

advisable, because it can be a serious crime.


17/24


Technology-specifc Considerations

Flash Drives

Flash memory devices (including USB fash drives and SD cards) are used as the internalstorage in most cell phones and digital cameras. Securely erasing their contents can pose anextra challenge because o a technology called wear leveling, which tries to prevent you romrepeatedly writing to the same place on the disk. Tat means that special orensic techniques

involving physically disassembling the fash drive can sometimes reconstruct contents that youattempted to overwrite, because the fash drive decided to put the overwriting data in a dier-ent physical location rom the overwritten data.40 Tis kind o orensic examination is muchrarer than basic disk orensics and is probably only a concern in a tiny number o situations.

Mobile Phones and Similar Devices

Devices like mobile phones increasingly hold tremendous amount o sensitive inormation,including photos and email messages that just a ew years ago might have been ound only incameras and laptops. Oten, they contain lists o your riends and colleagues and detailed logso when you communicated with them. Some mobile phones also store detailed logs o yourphysical location over time.

Although setting a password on your phone can be a sensible precaution, its worth emphasiz-ing that the password and screen-locking eatures that come with most phones provide nomeaningul protection against a skilled exam-iner. Tese passwords are like user accountpasswords on a PC, not like passphrases ordisk encryption; an examiner will not needto discover what the password is in order tobypass it.

Temporary Phones or Travel

I your mobile phone uses the internationalGSMstandard(usuallythecasefornon-U.S.mobile subscribers, or or U.S. customers oT-MobileandAT&TWireless),youcanavoidtaking your normal phone on your interna-tional trip at all, even i you want to use yourexisting phone number.41 Just get a dierentGSM-compatiblephoneandtransferyourSIMcardfromyourregularphoneintothenew phone. Your temporary phone will havear less o your private data on it, but sinceyourphonenumberisassociatedwiththeSIMcard rather than with the phone itsel, youcan still be reached at your normal telephonenumber (assuming that you have chosen to en-able international roaming services on your cellphone account). When your trip is over, youcanswaptheSIMcardback.

Case Scenario: Activist Associa-

tions

Vera has lots o riends who are involved in

controversial activism, and some o them

have had their laptops seized at the U.S.

border. Vera isnt an activist hersel, but

worries that the government will take an

interest in her i it learns that shes riendly

with people who are activists. She takes

a travel laptop on an international trip

with the minimum inormation necessary,

leaving most o her data at home. Beore

she enters the United States, she signs

out o her Gmail, Twitter and Facebook ac-

counts and makes sure that the passwords

arent stored in her browser. She also uses

WhisperCores ull disk encryption app

to secure the contacts, text messages,

and other content stored on her Androidphone. I asked or the passwords, she

intends to say no. She knows this might

cause the agents to seize the devices, but

they are unlikely to break the passwords,

which are very strong. I that happens,

Vera will still be able to access all the in-

ormation on the devices because she has

stored it remotely.


18/24


Secure Deletion o Data and Disk Encryption or Mobile Devices

Its very hard to be sure that inormation on mobile devices has been truly deleted. You mightchoosetodeleteinformationsuchasSMSmessagessothattheyarenotvisibletosomeonelooking through your phone, but there is typically no meaningul secure deletion option. Asophisticated orensic analysis may still reveal the contents o these deleted messages.

I your mobile device has a removable memory card such as an SD card, you can most securely

wipe its contents by physically removing it rom the mobile device and wiping it using securedeletion sotware in a PC.

In most cases, it may be better to travel with a separate mobile device that holds little privatedata rather than trying to rely on your phones security eatures to prevent border agents romreading private data.

I you preer to travel with your everyday mobile device, it may support specialized encryp-tion sotware. Te most recent release o Android or tablets (but not mobile phones) has acomprehensive encryption option, while some Android devices can be protected with add-onsotware like WhisperCore (which requires a resh installation o the phone sotware). Whis-perCore also supports making a networked backup o a phones contents, securely erasing

them, and re-downloading them later. BlackBerry devices also have potentially eective secu-rity options that may be able to protect data even against an expert; i you have an enterprise-managed BlackBerry, you can check out your user manual or ask your I department aboutthese eatures.

Digital Cameras

Agents may well ask to look through the contents o cameras, whether to try to disprove some-ones claim about where they traveled, in search o sexually explicit photographs, or simply outo curiosity.

Be aware that border agents may search your camera, copy its contents, or try to undelete im-

ages or videos that you believe youve deleted and that are no longer visible rom the camerasuser interace.42 Tere is no simple precaution against this, although low-level ormatting orlow-level overwriting a memory card in its entirety, using a computer and not a camera, shouldprevent undeletion; you should not rely on this unless youre amiliar with exactly what theormatting process is doing. (Notably, high-level ormatting o memory cards, or o hard drives,is totally ineective against orensic analysis.)

Te same considerations apply to camcorders and to the camera in your mobile phone.

Interacting with Border Agents

Border agents have a great deal o discretion to perorm searches and make determinations oadmissibility at the border. Keep in mind that any traveler, regardless o citizenship status orbehavior, can be temporarily detained by border agents or more detailed questioning, a physi-cal search o possessions, or a more extensive physical search.43 Reusal to cooperate withsearches, answer questions, or turn over passwords to let agents access or decrypt data maycause lengthy questioning, seizure o devices or urther examination, or, in extreme circum-stance, prevent admission to the country.44

For this reason, it may be best to protect your data in ways that dont require you to have awk-


19/24


ward conrontations with border agents at all. I you nd yoursel in such a situation, however,keep these tips in mind:

Dont Lie

Its extremely important that you do not tell a lie to a border agent. Doing so is a serious crimeor which you may be prosecuted even i your lie was not told to conceal any wrongdoing.45 Iyou are absolutely sure that you dont want to answer a specic question, its better to politely

decline to answer than to give a alse answer.

Dont Obstruct an Agents Investigation

Once its clear that a border agent is going to search your device or other possessions, dont takeany steps to destroy data or otherwise obstruct that process. Like lying, knowingly interer-ing with a border agents investigation is a serious crime.46 Write down the agents identiyinginormation and collect a receipt or property i appropriate. Ten le a complaint or consult alawyer about getting the item back. (For inormation on ling a complaint to CBP or ICE, seethe Appendix to this paper.)

CourtesyIts in your interest to be courteous to agents at all times during the border inspection process.CBP agents should also be courteous and proessional while searching your belongings, detain-ing, or questioning you.47 I they ail to do so, you can le a complaint.


20/24


Appendix

Resources or International Travelers With

Border Search Issues

Problems with or questions about an ICE or CBP examination?

I you have a question about CBP or wish to submit a ormal complaint about a CBP examina-tion, please go to .

o le a civil rights complaint against either CBP or ICE, you can le a complaint with the De-partment o Homeland Security Oce o Civil Rights and Civil Liberties. You may downloada complaint orm at .

Have you been repeatedly reerred to secondary screening? Do you sus-

pect your name is on a watch list?You may submit a complaint to the Department o Homeland Securitys raveler RedressInquiry Program at .

Want to know what inormation CBP or ICE has on fle about you?

Anyone can seek copies o records about themselves through the Freedom o Inormation Act.You can use the Privacy Act to ask or the same inormation i youre a U.S. citizen or lawulpermanent resident.

For inormation about submitting a request to CBP, see .

o request records rom ICE, see .

Feel as though your privacy or civil rights have been violated during a bor-

der search?

Please visit the Department o Homeland Securitys raveler Redress Inquiry Program tospeciy all scenarios that apply to your travel experience at .

Do you have urther questions?

Contact an attorney or help.
http://eff.org/https://help.cbp.gov/app/forms/complainthttp://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttp://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttps://trip.dhs.gov/http://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttp://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttp://www.ice.gov/foiahttps://trip.dhs.gov/https://help.cbp.gov/app/answers/detail/a_id/11/kw/border%20search/related/1https://help.cbp.gov/app/answers/detail/a_id/11/kw/border%20search/related/1https://trip.dhs.gov/http://www.ice.gov/foiahttp://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttp://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttps://trip.dhs.gov/http://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttp://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttps://help.cbp.gov/app/forms/complainthttp://eff.org/


21/24


Endnotes1 E.g., United States v. Arnold, 533 F.3d 1003, 1008 (9th Cir. 2008); United States v. Romm, 455 F.3d 990,

997(9thCir.2006);U.S.v.Linarez-Delgado,259F.Appx506,508(3dCir.2007);UnitedStatesv.McAu -ley, 563 F. Supp. 2d 672, 979 (W.D. ex. 2008); United States v. Roberts, 86 F. Supp. 2d 678, 688 (S.D. ex.2000); United States v. Bunty, 617 F. Supp. 2d 359, 365 (E.D. Pa. 2008); United States v. Hampe, No. 07-3-B-W,2007WL1192365,at*4(D.Me.Apr.18,2007).

2 See Electronic Device Privacy Act o 2008, H.R. 6588, 110th Cong. 2(a) (2008); ravelers Privacy Protec-

tion Act o 2008, S. 3612, 110th Cong. 4(a) (2008); Securing Our Borders and our Data Act o 2009, H.R.239, 111th Cong. 2(a) (2009).

3 U.S. Customs and Border Protection, Dir. 3340-049, Border Searches o Electronic Devices ContainingInormation at 5.1.2 (Aug. 20, 2009), http://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pd.

4 Id. at 5.3.1.

5 Id. at 5.2.2. (Other possibly sensitive inormation, such as medical records and work-related inormationcarried by journalists, shall be handled in accordance with any applicable ederal law and CBP policy.)

6 Id. at 5.3.2.2.

7 Id.

8 U.S. Immigration and Customs Enorcement, Dir. 7-6.1, Border Searches o Electronic Devices (ICE Di-rective) at 4, 6.1 (Aug. 18, 2009), .

9 Id. 8.3.

10 In one instance, ICE held onto David Houses laptop, thumb drive, and digital camera or 49 days. AnaquaintanceofaccusedWikiLeakswhistleblowerBradleyManning,Mr.HousewasreturningfromMexicowhen agents conscated his electronic equipment. While the Justice Department conceded that it held ontohis laptop or longer than thirty days, it explained that [t]he lack o password access required ICE computerexpertstospendadditionaltimeonMr.Houseslaptop.KevinPoulsen,FedsDefendSeizureofWikilLeaksSupporters Laptop, Wired Treat Level ( July 28, 2011) .

11 Id. at 8.4.

12 ICE Directive, supra note [8], at 8.6.

13 United States v. Cotterman, 637 F.3d 1068, 1070 (9th 2011) (petition or en banc rehearing led Sept. 12,2011) (permitting agents to transport a laptop to a orensic laboratory almost 170 miles away rom the bor-der and keep computer or two days to continue inspection, but the government cannot simply seize propertyunder its border search power and hold it or weeks, months, or years on a whim.)

14 See,e.g.,UnitedStatesv.Hanson,No.CR09-00946JSW,2010U.S.Dist.LEXIS61204(N.D.Cal.June2,2010) (reasonable suspicion required to search laptop about two weeks ater it was detained at the border andsent away or orensic analysis, and probable cause required to search laptop about our months ater initialdetentionatborder);UnitedStatesv.Stewart,715F.Supp.2d750,754-55(E.D.Mich.2010)(transportinga computer rom an airport to a remote location might result in an extended border search). However, both o

thesecasesrelysignicantlyonUnitedStatesv.Cotterman,No.071207,2009U.S.Dist.LEXIS14300(D.Ariz. Feb. 24, 2009), which was reversed on appeal. 637 F.3d 1068.

15 ACLU, Government Data About Searches o International ravelers Laptops and Personal ElectronicDevices (Aug. 25, 2011), http://www.aclu.org/national-security/government-data-about-searches-interna-tional-travelers-laptops-and-personal-electr.

16 For example, Guidance Sotware markets a popular orensic analysis tool called EnCase, which lets examin-ers acquire data rom a wide variety o devices, unearth potential evidence with disk level orensic analysis,and crat comprehensive reports on their ndings, all while maintaining the integrity o their evidence.EnCase Forensic, http://www.guidancesotware.com/orensic.htm (last visited Oct. 4, 2011). Government
http://eff.org/http://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.wired.com/threatlevel/2011/07/househttp://www.wired.com/threatlevel/2011/07/househttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.wired.com/threatlevel/2011/07/househttp://www.wired.com/threatlevel/2011/07/househttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://eff.org/


22/24


agents have used this tool to recover deleted les when searching devices seized at the border. See UnitedStates v. Romm, 455 F.3d 990, 997 (9th Cir. 2006) (nding the search to be reasonable under the bordersearch exception). EnCase includes extensive unctionality to help relatively non-expert users make sense othe contents o a hard drive, including, or example, nding and reading the content o email messages. Com-puter orensic tools will become more automated in the uture; see Simson Garnkel, Automated ComputerForensics (available at ).

17 SpiderOak is a zero knowledge backup provider. Tis means that we do not know anything about the datathat you store on SpiderOak -- not even your older or lenames. On the server we only see sequentially

numbered containers o encrypted data.

18 Backups should be secure against attackers ranging rom script kiddies up to major world governments,even i they can compromise the systems on which the backups are being stored. Backups are supposed to bea tool or mitigating damage not a potential vulnerability to worry about!

19 [I]n stark contrast to most other online storage services, all your les get encrypted on your computer, sothat no one - including the employees at Wuala and LaCie - can access your private les. Your password neverleaves your computer.

20 Duplicity is available rom .

21 ahoe-LAFS is available rom .

22 See United States v. Seljan, 547 F.3d 993, 999 (9th Cir. 2008) (en banc).

23 Alexei Czeskis, David J. St. Hilaire, Karl Koscher, Steven D. Gribble, adayoshi Kohno, and Bruce Schneier,Deeating Encrypted and Deniable File Systems: rueCrypt v5.1a and the Case o the attling OS and Ap-plications, available at .

24 See .

25 Undeletion is a standard, built-in eature o orensic products used by law enorcement and border agen-cies. It works reliably i deletion was done recently. It may work even ater an operating system reinstallation(slack space), depending on how the reinstallation process works. (However, it typically doesnt work aterOS reinstallation i ull-disk encryption was used on the previous OS image, because the new operatingsystem will overwrite the decryption keys and make the old systems encrypted data unrecoverable.)

26 DBAN is available rom http://www.dban.org/.

27 Czeskis et al. point out that the operating system and applications can leak signicant inormation about theexistence o, and the les stored within, a hidden volume:

[Tese risks] also seem applicable to regular (non-deniable) disk encryption systems in which only a subseto all the users entire disks are encrypted and in which a user does not deny the existence o the encrypted re-gions but does reuse to divulge the passwords. [...] In summary with regard to disk encryption, in situationswhere there is a need to protect the privacy o individual les, the saest strategy appears to be to encrypt thefulldisk[...]Forexample,theauthorsfoundthatMicrosoftWordwouldperiodicallyauto-savecopiesofadocument being edited. Even i the document being edited was located on an encrypted volume, Word couldplace the auto-saved copies on an unencrypted volume; even though they were automatically deleted, thesecopies could easily by undeleted by a orensic examiner. (In a similar vein, applications may create and store a

preview or icon version o documents and images they open.) Supra note [23].28 https://twitter.com/#!/csoghoian/status/75793191177166849 (4GB SD cards are cheap, can be destroyed

beore going through US customs, and by taking out my [hard drive], my laptop battery now lasts 8 hrs.)

29 See .

30 See EFFs DES Cracker page:

31 For a useul general discussion o passphrases, see Indiana University UIS, Passwords and Passphrases,available at , and Passphrases, availalbe at


23/24


bersecurity/saeonline/passphrases>. Tese documents are not specically ocused on passphrases or diskencryption; bear in mind our warning, inra note [34].

32 Arnoud Engelriet, Te Passphrase FAQ, available at .

33 See Reinhold s Diceware page at .

34 xkcd #936, available at . Note that this phrase is likely too short or diskencryptionuse;Munroecalculatesitsstrengthatonly44bits.Reinholdsadvicesuggestsusingatleastve

random words or a passphrase or encryption purposes, when the words are chosen rom a list that includesonly simple everyday words. Exactly how long or unpredictable a passphrase needs to be to be secure againstcracking by machines is a complex question, and relies on speculation and assumptions about the capabili-ties o the organizations that will try to crack your passphrase. Some disk encryption systems can be saeeven with relatively short passphrases because o how they use key stretching technologies; see . But you should not use this as an excuse tochoose a simpler passphrase unless you understand the precise technical details o how the disk encryptionsotware youve chosen uses key stretching. Note that this comic is licensed under a Share ADDIIONALNOE: licensed under a Creative Commons Attribution-NonCommercial 2.5 License.

35 Simply using a quotation or song lyric by itsel is not sae because there are readily available lists o quotationsand lyrics, comprising only millions o distinct sentences. Tis is a tiny number or a computer to test. Yourpassphrase should never be identical to anything that has ever been published anywhere.

36 .

37 .

38 See In re Grand Jury Subpoena to Sebastien Boucher, 2:06-mj-91, 2007 WL 4246473 (D. Vt. Nov. 29,2007), appeal sustained by 2009 WL 424718 (D. Vt. Feb. 29, 2009); United States v. Rogozin, 09-CR-379,2010WL4628520at**5-6(W.D.N.Y.Nov.16,2010);UnitedStatesv.Kirschner,No.09-MC-50872,2010WL1257355(E.D.Mich.March30,2010).

39 Tis should become ar easier and more routine in the uture, as suggested by Roxana Geambasu, John P.John,StevenD.Gribble,TadayoshiKohno,andHenryM.LevyKeypad:AnAuditingFileSystemforeft-Prone Devices, in Proceedings o the European Conerence on Computer Systems (EuroSys), Salzburg,Austria, April 2011, available at .

Geambasu et al. describe an encryption system where a network server, rather than an end-user, holds thekeys. Under normal circumstances, the server will immediately provide the keys to decrypt any le that auser wants to use, but the server operator can temporarily or permanently revoke a devices ability to requestdecryption keys (or example, i the device is lost). When practical implementations o this system becomeavailable, they could be ideal or border crossings, because a server can turn o decryption key access or atravelers laptop at a given time and re-enable it only ater the traveler has passed through immigration andcustoms.

40 MichaelWei,LauraM.Grupp,FrederickE.Spada,andStevenSwanson,ReliablyErasingDataFromFlash-BasedSolidStateDrives(inProceedingsofthe9thUSENIXConferenceonFileandStorageTechnologies),available at . Wei et al. note that, [t]heinternals o an SSD [solid state drive] dier in almost every respect rom a hard drive, so assuming that theerasure techniques that work or hard drives will also work or SSDs is dangerous.

41 NotallmobileserviceplanssupportusingyourSIMcardinaforeigncountry.Ifindoubt,contactyourmo-bile phone carrier.

42 Deleted photos on cameras are generally not really erased, and can be trivially undeleted using a computerand widely available sotware. Undeleting photos rom a cameras memory card does not usually require spe-cial technical expertise or orensic training.

43 See Inspection o Electronic Devices, supra, note [19] at 1; U.S. Customs and Border Protection, ReasonsYouMayBeSearchedByCBP,https://help.cbp.gov/app/answers/detail/a_id/26/kw/border%20search(last visited Oct. 4, 2011).
http://eff.org/http://protect.iu.edu/cybersecurity/safeonline/passphraseshttp://www.iusmentis.com/security/passphrasefaqhttp://www.iusmentis.com/security/passphrasefaqhttp://world.std.com/~reinhold/diceware.htmlhttps://www.xkcd.com/936https://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttps://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttp://creativecommons.org/licenses/by-nc/2.5/http://point-at-infinity.org/sssshttp://sourceforge.net/projects/secretsharphttp://eurosys2011.cs.uni-salzburg.at/pdf/eurosys2011-geambasu.pdfhttps://db.usenix.org/events/fast11/tech/full_papers/Wei.pdfhttps://help.cbp.gov/app/answers/detail/a_id/26/kw/borderhttps://help.cbp.gov/app/answers/detail/a_id/26/kw/borderhttps://db.usenix.org/events/fast11/tech/full_papers/Wei.pdfhttp://eurosys2011.cs.uni-salzburg.at/pdf/eurosys2011-geambasu.pdfhttp://sourceforge.net/projects/secretsharphttp://point-at-infinity.org/sssshttp://creativecommons.org/licenses/by-nc/2.5/https://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttps://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttps://www.xkcd.com/936http://world.std.com/~reinhold/diceware.htmlhttp://www.iusmentis.com/security/passphrasefaqhttp://www.iusmentis.com/security/passphrasefaqhttp://protect.iu.edu/cybersecurity/safeonline/passphraseshttp://eff.org/


24/24

44 For example, the government may reuse non-citizens entry into the U.S. or a variety o reasons. Immigra-tion and Nationality Act 212(a), 8 U.S.C. 1182 (2010). While ew judges have shed light on the issue, atleast one court has ound that U.S. citizens have an absolute and unqualied right to reside in the UnitedStates and cannot be denied reentry. United States v. Valentine, 288 F. Supp. 957, 980 (D.P.R. 1968); see alsoWorthy v. United States, 328 F.2d 386 (5th Cir. 1964) (We think it is inherent in the concept o citizenshipthat the citizen, when absent rom the country to which he owes allegiance, has a right to return, again to setoot on its soil.).

45 18 U.S.C. 1001 (2006) (it is a crime to willully or knowingly alsi[y], conceal[], or cover[] up by any trick,

scheme, or device a material act or make any materially alse, ctitious, or raudulent statement or represen-tation to a ederal agent).

46 18 U.S.C. 1519 (2006) (it is a crime to knowingly alter[], destroy[], mutilates[], conceal[], cover[] up,alsi[y], or make[] a alse entry in any record, document, or tangible object with the intent to impede,obstruct, or infuence the investigation or proper administration o any matter within the jurisdiction o anydepartment or agency o the United States[.]

47 U.S. Dept o Homeland Security Customs and Border Protection, Inspection o Electronic Devices at 1,http://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pd(last vis-ited Oct. 4, 2011) (I you are subject to inspection, you should expect to be treated in a courteous, dignied,and proessional manner.).
http://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdfhttp://www.cbp.gov/linkhandler/cgov/travel/admissibility/msa_tearsheet.ctt/msa_tearsheet.pdf

Documents

EFF Border Search 0