EFF Border Search Electronic Devices

7/31/2019 EFF Border Search Electronic Devices

1/24

De ending Privacyat the

U.S. Border:A Guide or Travelers

Carrying Digital Devices

By Seth Schoen, Marcia Ho mann

and Rowan Reynolds

December 2011

ELECTRONIC FRONTIER FOUNDATIOeff.org
http://eff.org/http://eff.org/


2/24


3/24

2ELECTRONIC FRONTIER FOUNDATION EFF.ORG

Authors: Seth Schoen, Marcia Ho mann and Rowan Reynolds

Editing: Rainey Reitman and Mark Jaycox

Graphics and layout : Hugh DAndrade

A publication o the Electronic Frontier Foundation , 2011

Copyright: De ending Privacy at the U.S. Border: a Guide or Travelers Carrying Digital Devices is licensed un-der a Creative Commons Attribution 3.0 Unported License unless otherwise noted.
http://eff.org/http://creativecommons.org/licenses/by/3.0/http://creativecommons.org/licenses/by/3.0/http://eff.org/


4/24


De ending Privacy at the U.S. Border:A Guide or Travelers Carrying Digital Devices

Our lives are on our laptops amily photos, medical documents, banking in ormation, detailsabout what websites we visit, and so much more. Tanks to protections enshrined in the U.S.Constitution, the government generally cant snoop through your laptop or no reason. Butthose privacy protections dont sa eguard travelers at the U.S. border, where the U.S. govern-ment can take an electronic device, search through all the les, and keep it or a while orurther scrutiny without any suspicion o wrongdoing whatsoever.

For doctors, lawyers, and many businesspro essionals, these border searches can com-promise the privacy o sensitive pro essionalin ormation, including trade secrets, attorney-client and doctor-patient communications,research and business strategies, some o

which a traveler has legal and contractual obli-gations to protect. For the rest o us, searchesthat can reach our personal correspondence,health in ormation, and nancial records arereasonably viewed as an a ront to privacy anddignity and inconsistent with the values o aree society.

Despite the lack o legal protections againstthe search itsel , however, those concernedabout the security and privacy o the in orma-tion on their devices at the border can usetechnological measures in an e ort to protecttheir data. Tey can also choose not to takeprivate data across the border with them at all,and then use technical measures to retrieve itrom abroad. As the explanations below dem-onstrate, some o these technical measures aresimple to implement, while others are complexand require signi cant technical skill.

Why Can My Devices Be Searched at the Border?Te Fourth Amendment to the United States Constitution protects us against unreasonablegovernment searches and seizures. Tis generally means the government has to show a courtprobable cause that a crime has been committed and get a warrant be ore it can search a loca-tion or item in which you have a reasonable expectation o privacy. But searches at places wherepeople enter or leave the United States may be considered reasonable simply because theyhappen at the border or an international airport.

Several ederal courts have considered whether the government needs any suspicion o criminal

Why might people want to protecttheir data at the border?

Business travelers, lawyers, doctors, orother pro essionals may have con -dential or privileged in ormation on

their laptops that they dont want oth-ers to see or that they are obligated bylaw or contract to protect.

People may have sensitive personalin ormation on their devices such asmedical records, nancial documents,and years o correspondence with am-ily, riends and business associates.

Some travelers may have repeated dif -culties crossing the border, and wishto take proactive steps to protect theirdata in light o their past experiences.

Some may feel as a matter of principlethat the government shouldnt beable to view their private in ormationsimply because they choose to travelinternationally.


5/24


activity to search a travelers laptop at the U.S. border. Un ortunately, so ar they have decidedthat the answer is no.1 Congress has also weighed several bills to protect travelers rom suspi-cionless searches at the border, but none has yet passed.2

For now, a border agent has the legal authority to search your electronic devices at the bordereven i she has no reason to think that youve done anything wrong.

How the Government Searches Devices at theBorderTere are two government agencies primarily responsible or inspecting travelers and itemsentering the United States: the Department o Homeland Securitys Customs and Border Pro-tection (CBP) and Immigration and Customs En orcement (ICE). (Occasionally, CBP or ICEcan make special arrangements to question a passenger departing rom the United States orinspect her belongings, but neither agencyroutinely does so.)

Te law gives CBP and ICE agents a greatdeal o discretion to inspect items com-ing into the county. While its impossibleto know or sure how theyll handle everyborder search situation, agencies havepublished their policies or searching elec-tronic devices and data.

CBP tells its agents that with or withoutindividualized suspicion, they can inspectelectronic devices and data encounteredat the border.3 Te agency can keep your

computer or copies o your data or abrie , reasonable amount o time to besearched on- or o -site. Ordinarily, thisisnt more than ve days.4 CBP recognizesthat agents might run across privileged orsensitive in ormation stored on devices,but does not clearly explain the proceduresor handling it.5 When CBP agents experi-ence technical di culties or encounter in-ormation that is encrypted or written in aoreign language, they may send the device

or a copy o the data to other governmentagencies that might be able to help accessthe in ormation.6 Border agents dont needany suspicion o wrongdoing to seek thisassistance,7 and its unclear whether thecooperating agencies can keep copies o thedata they receive inde nitely.

Which Three-Letter Acronym Was ThatAgain?

The Department o Homeland Security(DHS) has several departmental missions,including to secure[] the nations air, land andsea borders to prevent illegal activity whileacilitating law ul travel and trade. Departmento Homeland Security Missions and Responsi-bilities,http://www.dhs.gov/xabout/responsi-bilities.shtm (last visited Oct. 4, 2011).

Customs and Border Protection (CBP) isthe primary agency that inspects and searchestravelers entering the United States. For exam-

ple, when you arrive in the U.S., you can expectto be interviewed at the border by a CBP agentand to present your Customs declaration toanother CBP agent.

Immigration and Customs En orcement(ICE)investigates violations o laws relatedto borders. Although ICE has border searchauthority, it isnt routinely involved in searchingor interviewing travelers at ports o entry.

The Transportation Security Administra-tion (TSA) is responsible or transportationsecurity within the United States, and does notper orm searches at the border. Normally, TSAsearches travelers be ore they board a plane,not a ter they land. You can expect to besearched by TSA when departing the U.S. byair, but the screening TSA per orms is usuallyidentical or domestic and international pas-sengers.
http://eff.org/http://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://www.dhs.gov/xabout/responsibilities.shtmhttp://eff.org/


6/24


Like CBP agents, ICE agents may inspect electronic devices and the in ormation on themwith or without individualized suspicion.8 ICE will typically complete searches o devicesand copies o data within 30 days,9 though anecdotal reports suggest that travelers devices aresometimes detained or signi cantly longer periods o time.10 ICEs policy, like CBPs directive,says that agents may seek technical assistance rom others to translate or decrypt data,11 and issimilarly vague about how agents should handle privileged or sensitive in ormation.12

Beyond seizing the device at the border, the government may take a device to a location awayrom the border or urther inspection.13 I this occurs, searches o devices that are conducted ata time and/or place removed rom the initial border stop can become extended border searchesthat require reasonable suspicion o wrongdoing or even regular searches that require a prob-able cause warrant.14

In short, border agents have a lot o latitude to search electronic devices at the border or takethem elsewhere or urther inspection or a short period o time, whether or not they suspect atraveler has done anything wrong.

For now, the government searches only a small percentage o international travelers electronicdevices. According to documents obtained by the American Civil Liberties Union through theFreedom o In ormation Act, more than 6,500 people traveling to and rom the United Stateshad their electronic devices searched at the border between October 2008 and June 2010, anaverage o more than 300 border searches o electronic devices a month. Almost hal o thosetravelers were U.S. citizens.15 Tis means that these searches are a regular occurrence, but onethat most travelers will never encounter given the number o travelers who cross the bordereach month.

Te requency o technology-oriented searches at the border may increase in the uture. Re-searchers and vendors are creating tools to make orensic analysis aster and more e ective,and, over time, orensic analysis will require less skill and training.16 Law en orcement agenciesmay be tempted to use these tools more o ten and in more circumstances as their use becomeseasier.

Deciding How to Protect Your DataDi erent people will choose di erent kinds o precautions to protect their data at the borderbased on their experience, perception o risk, and other actors.There is no particular ap-proach we can recommend or all travelers. Tese are some o the considerations youmight take into account:

Your citizenship, immigration, or residence status. I you are not a U.S. citizen, you maybe more easily denied entry into the country, and so you may want to be especially care ulto avoid situations where border agents might consider you uncooperative or taking stepsto protect your data or politely re using to provide encryption passwords.

Time sensitivities. Is it important or you to reach your destination by a certain time?I border agents hold you up with questioning or attempts to search your devices, it maywreak havoc on your travel schedule.

How much hassle youre willing to tolerate rom border agents. I you want to secureyour data but are uncom ortable about the possibly o appearing uncooperative with borderagents, it might be best to avoid such awkward situations all together. For example, you


7/24


might choose to take a blank device overthe border and download your data onceyou reach your destination rather thanace an uncom ortable interaction witha border agent who wants to search thedata on your device.

How important it is or you to have ac-cess to your data during your journey.Consider whether youll need your datawith you on the plane, or whether youcan wait until youve crossed the borderto access it.

How good your Internet access will beduring your travels. I youll have accessto lots o bandwidth, you might be ableto download the data you need once youreach your destination.

The countries youve visited be oreentering the United States. ravel tocertain countries may draw additionalscrutiny rom border agents.

Your history with law en orcement. I you are subject to an ongoing investiga-tion or otherwise under suspicion or any reason, you may be screened or questioned moreintensively.

Some Basic PrecautionsAll computer users who carry important in ormation on portable devices should be aware o two basic precautions:

Making regular backups, which ensures that your important information stays available toyou i your computer is ever taken rom you, lost, or destroyed. (I you dont have access toyour computer, youll still have access to your data.)

Encrypting the information on the computer, which ensures that your information stayscon dential rom other people whom you dont authorize to access it. (I you lose control o your computer, other people wont have access to your data.)

In the in ancy o personal computing, experts put particular emphasis on the need to makebackups. oday, we think these two precautions are really halves o a larger whole: making surethat that in ormation stays available to those you want to have it, and that its not available toothers. Applying these precautions can help you deal with travel incidents well beyond thecomparatively unusual case o border searches, like i you leave a laptop in a taxi or i someonesteals your backpack or purse rom a ca .

Te right time to get started with both o these precautions is be ore your trip, when youre athome or at work and have more time and greater access to other people who can help you getset up appropriately.

Case Scenario: Business Concerns

Alice is a requent business traveler who o -ten needs access to proprietary in ormationthat her company considers highly sensitiveand con dential. When she travels or work,she takes a special laptop that contains theminimum in ormation necessary or hertrip. Be ore she leaves the country, she usesstrong cryptography to encrypt that in or-mation. She also sets up two separate log-inaccounts on the computer: a protectedaccount where the encrypted les may beaccessed, and a separate account or otheruses o the laptop. Anyone who wants toview the con dential data must log in tothe protected account and then decryptthe les. Only Alices employer knows thepasswords to the account and encrypteddata, and the companys IT departmentsends the passwords to her in an encryptedemail message so that she can access thedata abroad. Be ore she returns to the U.S.,she securely wipes her laptop.


8/24


Tere are also other more elaborate precautions which you might nd use ul. A ter discussingthe basics, well suggest several o these below. Note that many o the precautions we will dis-cuss address the possibility that your electronic devices are taken away rom you, and examinedor hours by a trained expert. For travelers who eel that this is an important concern, its worthunderstanding what the capabilities o that expert examiner may be.

BackupsEvery year millions o computer users lose important in ormation accidentally or want o agood, current backup, so there are many good reasons other than the possibility o a bordersearch or seizure or you to have a current backup. In modern practice, backups are most o tenmade onto another computer over a network. (See our discussion o on-line service privacy inthe next section Backups Using the Internet.) You can also back up to an external hard drive,which can be extremely quick and easy.

Backups are especially important or travelers, since, aside rom the possibility o a bordersearch or seizure, travel presents many opportunities or losing your computer or data.

Backups Using the Internet

When youre backing up your computer over a network, bear in mind that Your connection to the server should be encrypted to prevent eavesdropping that would

reveal the contents o your backup.

e content o your backups should also be encrypted so that the backup service itsel cant read them. (Currently, only a ew services automate this process or you.)

Your backups should be frequent, especially while youre traveling away from home. eycan beincremental so that only things that have changed since your previous backup areactually transmitted over the network.

Your Internet access will need to beast enough to trans er the amount o in ormationyou have to back up in the time you have available.

Storing in ormation with an online service, sometimes also called a cloud service, is a popularchoice today; it may have signi cant bene ts or reducing the amount o data that could beexposed to a border search. For instance, you could keep your email with a webmail providerand not on your laptop, or edit documents on a network service like Google Docs, or store leswith a service like SpiderOak instead o on your computer. Devices like Chromebooks can dothis automatically so that you rarely physically store in ormation on a laptop at all. Relying onnetwork services and network storage has both advantages and disadvantages or privacy.

Pro: Data is not stored on your device, is not actually carried across the border, and is not

subject to a physical border search. You can truth ully tell agents that the data is simply notpresent on your device at all; you are not carrying it with you.

Con: Some data that you store with a third-party online service provider in the United Statesenjoys less legal protection than data you store on your own computer.

You can get the best o both worlds when you encrypt your data separately be ore storing itwith a cloud storage provider. Ten the cloud storage provider does not know the in ormationrequired to decrypt the data, so it cant access your data at all. Some cloud storage providers likeSpiderOak17, arsnap 18, and Wuala19 make this kind o protection a standard part o their ser-


9/24


vices, while tools like Duplicity20 and ahoe-LAFS 21 let you set up your own encrypted backupin rastructure.

I you decide to move some les into cloud storage be ore crossing the border rather thankeeping your les there all along, remember that merely deleting les wont always remove theirnames or contents rom your device. See Te Challenges o Secure Deletion, below.

Backups Using an External Hard Drive

You can also easily make a backup onto anexternal hard drive instead o (or in addition to) anetwork server. Tis hard drive can, and should, be encrypted so that only someone who knowsthe proper passphrase can read its contents. In general, store and transport your backup andyour computer separately. In particular,we recommend you dont carry your backup acrossthe border at the same time as the computer its backing up!

Remember that backups can take time, so plan accordingly. Using a USB connection, a 60 GBlaptop drive could take over 15 minutes to back up (probably longer), while a 1 B drive couldtake around ve hours. You can use incremental backups together with encryption to makethe time a bit shorter. USBs peak data rate is 60 MB/s (for USB 2, the latest version you canassume is widely supported), so plan ahead and use incremental backups where appropriate.Note that current computers might let you connect external drives using Firewire, or eSAAinter aces as well, although the most universally compatible is USB, which is also the slowest(unless you have USB 3, which is still uncommon as o mid-2011).

A 2 B external drive (sel -contained and ready to use) is relatively cheap and is probably morethan su cient or a complete encrypted backup o any computer youre likely to use. You can

Hard Drive Image BackupsI you have a large external hard drive at home, you can make a byte- or-byte image copy o your laptop hard drive be ore your trip; then you can install a resh operating system or travelpurposes, overwriting the laptop contents. When you return home, you can restore the imagecopy onto your laptop (overwriting the travel operating system) and pick up where you le tof.

Regardless o what operating system you usually run, you can do this most easily with a Linuxlive CD. (This operation happens below the level o the operating system, so it can be usedon any operating system.) The external drive to which you make the backup should itsel beencrypted, because the backup contains all o the in ormation rom your hard drive (includ-ing things you may think are deleted, and including saved passwords and authorizationcredentials) in a usable, accessible orm.

Note that making or restoring a ull-drive backup can take a long time; its usually limited bythe capacity o the connection to the external hard drive and could be up to several hours ora large laptop drive.

Since hard drive sizes have been growing aster than Internet connection speeds, imagebackups over the Internet are unlikely to be easible except in the most highly Internet-connected places. (An Internet-based image backup is similar to swapping hard drive imagesonto an external disk, except that the external disk isnt physically plugged into the local com-puter but is located somewhere else. Encryption should be used to protect the hard drivescontents.)


10/24


also get anenclosure to turn an internal hard drive into an external hard drive. High-qualityenclosures are also relatively inexpensive and protect the internal drive against physical damage,as well as providing power and making it easy to plug and unplug the drive.

Minimizing Data You Carry

One strategy or protecting your data when traveling is to minimize how much data you carry.Tis can be as simple as choosing not to bring a device which may hold sensitive data with youduring a border crossing, or it can involve removing data you dont want border agents to ac-cess. Tere are a wide variety o ways to e ectively remove data, depending on the devices andnetwork access that you have.

One approach is tophysically remove the hard drive rom your laptop be ore your trip. Youmight purchase aseparate laptop hard drive or travel purposes and install a resh operat-ing system on it. Ten you can switch hard drives be ore and a ter your trip and pick up whereyou le t o when you get back home.

Alternatively, you can remove your hard drive be ore your trip anduse your computer withno hard drive at all (by starting an operat-ing system rom a CD, USB drive, or SDcard). See the Operating System on an SDCard section below or a more detaileddiscussion. Instead o storing les on a harddrive, you can store them on a USB or SDmedium or on a network server that youaccess via an encrypted connection. Again,in this scenario, you can put your normallaptop hard drive back in when your trip iscomplete. In any case, you can ensure thatthe in ormation on your laptop while youretraveling is minimized and that you haveonly the in ormation youll need during thetrip.

You could also use aninexpensive travelcomputer on which, by design or by prac-tice, you avoid saving les, instead storingthem in the cloud on network servers. A

Case Scenario: Doctor Con dentiality

Akina is a doctor in Japan. She is traveling to the United States with her young son to attend

a relatives wedding. She wants to ensure that she can access any email messages that herpatients send her while she is abroad, and considers it critical to protect the con dentialityo those messages. On the other hand, she doesnt want any con rontation with the borderagents she worries that being detained will upset her child, and, i they are re used entry,they will miss the wedding. Akina chooses not to carry a laptop at all. Instead, be ore her trip,she mails a travel laptop to her relative in the United States. A ter the wedding, she securelywipes the laptop and takes it back to Japan with her.

Case Scenario: PhilosophicalGrounds

Howard rmly believes as a matter o prin-ciple that the government has no businesssi ting through the contents o his laptop,and hes willing to stand up or that belie .He is entering the United States a ter travel-ing around Asia or three months. He backsup his data on a remote server be ore his

trip. He also uses strong cryptography toencrypt his hard drive and chooses a strongpassphrase. I the border agents ask himor the passphrase, he intends to say no. Heknows this might cause the agents to seizethe laptop, but they are unlikely to break thepassword, and he can still have access to thein ormation on the laptop because he hasstored it remotely.


11/24


traditional netbook is suitable or this, while a Chromebook running ChromeOS helps au-tomate the process. (Bear in mind that common application so tware could leave orensicallyrecoverable data on the local hard drive even i you normally only save les on network servers.)Tey could make good investments or requent travelers. Note that, i you do consider usingcloud data storage, its important to keep in mind the privacy concerns associated with giving aservice provider access to your data; or instance, though Chromebooks store little data locally,Google can access the in ormation these devices store in Googles cloud service. We discuss

these issues in Backups Using the Internet, above.As a way o limiting what they physically carry across an international border, some travelerswillsend computers, hard drives, USB fash drives, or SD cards through the mail or othershipping service. Te legal protection a orded to computers and data sent via internationalmail is not appreciably better than at border crossings,22 but travelers can at least know thatthey wont be questioned about those devices while they and the devices are both under borderagents control.

The Challenges o Secure Deletion

Simply deleting data rom your hard drive with your normal OS le deletion eatures is notsecure and the data is still present and recoverable on your hard drive. Just because deletedles are no longer visible in your operating systems le manager does not mean that a orensicexpert cant undelete them or deduce that they were once present. Te orensic so tware willexamine the bytes actually stored on disk, which contain much more in ormation than youroperating system shows you.

Even i you delete les securely when uploading them, there might still be local traces o thoseles contents because o cached copies, metadata, and swap space issues.23 For example, lenames o cloud-stored les may still be mentioned on your hard drive. Perhaps copies o someo them are temporarily downloaded while youre working on them, and the local traces or eventhe complete contents would then be visible with appropriate orensic so tware.

Securely erasing les requires overwriting them, not just pressing delete in the user inter aceor emptying an electronic wastebasket. As Simson Gar nkel explains, it also doesnt work to just ormat a hard drive on most systems.24 Remember: an action may appear to erase or sani-tize data, but may be easily undone by a knowledgeable orensic examiner.25

You can use DBAN26 to delete entire laptop hard drives (or external hard drives or memorycards) sa ely. According to more recent research, multiple-pass overwriting (something ex-tensively promoted during the 2000s) is probably not necessary. Tis is important becausemultiple-pass overwriting o ten takes most o a ull day and has discouraged people rom usingsecure deletion tools, especially i theyre in a hurry. Single-pass overwriting in a correctly-im-plemented secure deletion tool is qualitatively much better than nothing, and especially muchbetter than deciding not to overwrite data at all because o the time it would take!

Tere are some types o so tware known as secure le deletion utilities or Secure Emptyrash which might be be use ul or erasing individual les sa ely. However, in moderncomputing environments, these methods are not necessarily ail-sa e when aced with expertorensic analysis. We do not recommend that you rely on them or removing your sensitivedata rom a device.

Some operating systems have a use ul way to clear ree space on a disk. I your system hasthis eature, it helps make most kinds o deleted data hard to undelete, but deleted regions or


12/24


data within les or databases may not be purged i the les or databases themselves still exist.For example, clearing ree space should prevent the undeletion o deleted les, but perhaps notundeletion o deleted emails and web history i they were stored inside o larger les that stillexist.

A perennial problem is that many kinds o application so tware invisibly leave traces behindwhen you open or work with les. For example, applications might make a temporary copy, orlist a les name in a Recently used documents list. Forensic so tware is written to be aware o these traces and search them out. Tis is also a substantial risk or people who use disk en-cryption to protect data on removable storage devices.27 With this concern in mind, the mostprudent course would be to assume that some trace o any les viewed or edited on a particu-lar computer could still be present on that computers hard drive. Tats why using ull-diskencryption is, according to some researchers, the sa est strategy (although less help ul i youanticipate turning over your passphrase i asked).

Operating System on an SD Card

On the most modern laptops, its possible to use an SD card like a hard drive; thus, you canchoose to use an SD card in place o a conventional hard drive and keep your entire operatingsystem and all your data on on it. (You should still use disk encryption or the data on the SDcard.) Since you can keep the SD card in your pocket or wallet when its not in use, its con-siderably harder or someone to take it rom you without your knowledge or tamper with it(although, since its so tiny, its much easier to lose).

You can also easily prepare several di erent operating system images on separate SD cards,or separate purposes or separate trips. In this case, its easier to send them in the mail or eveneasily erase or destroy a card when you no longer need it. Privacy expert Chris Soghoian, whodescribed this technique, reports that his laptop gets better battery li e when he uses an SDcard in place o a hard drive28.

You can even use the same SD card in a digital camera or taking photos, so that a single card

serves both as your camera storage medium and your encrypted hard drive.EncryptionDisk encryption protects your data i your computer is ever lost or stolen during your travels,so its a use ul precaution even or people who plan to cooperate completely with border agentsrequests or assistance in inspecting devices. Also, using encryption can help ensure you knowwhether your computer was actually searched, because you are in the loop a success ulsearch will not happen without your knowledge. I you dont use ull-disk encryption, borderagents can search your computer in another room and you wont necessarily know whether thishas happened, because they will not require your cooperation.

Account Passwords Versus Full-Disk EncryptionPeople o ten decide that they need to set a password on their computer in order to protecttheir data. Tis intuition is right, but the details matter quite a lot; not all ways o setting apassword provide the same kind o protection, and many dont involve any encrypton.

An account password or screen-lock password is en orced by the operating system code.Te operating system is con gured to ask or the password and wont allow access unless theright one is provided. But the data is still simply present on the hard drive. An account pass-


13/24


word is easily bypassed by accessing the same disk using a di erent operating system, whichwont require that the correct account password be entered. Alternatively, the hard drive couldbe physically removed rom the computer and read using a di erent computer; again, no pass-word would be needed.

By contrast,disk encryption uses mathematical techniques to scramble data so it is unintel-ligible without the right key. Tis mathematical protection works independently o the policiescon gured in the operating system so tware. A di erent operating system or computer can-not just decide to allow access, becauseno computer or so twarecan make any sense o the datawithout access to the right key.

Tis distinction makes a major practical di erence. Bypassing an account password is a routineoperation that can be done automatically with orensic so tware that bypasses the operatingsystem and looks directly at the disk, interpreting its contents or the orensic analyst; youraccount password is no obstacle or this orensic so tware. CBP, ICE and other ederal lawen orcement agencies have sta with extensive training in the use o orensic so tware and areprepared to use it i they think the contents o your computer are interesting enough.

Fortunately, modern computer systems come with comparatively easy ull-disk encryption toolsthat let you encrypt the contents o your hard drive with a passphrase that will be requiredwhen you start your computer.Using these tools is the most undamental security precaution orcomputer users who have confdential in ormation on their hard drives and are concerned aboutlosing control over their computers not just at a border crossing, but at any moment during a tripwhen a computer could be lost or stolen.

Threats to Disk Encryption

Full-disk encryption is not an impregnable solution to all concerns about data privacy. Itcould conceivably be bypassed in certain ways:

By breaking into your computer while youre using it (with aTrojan horse or spearphish-ing , or exploiting a vulnerability in so tware that you use).

With acold boot attack

i the attacker has control o your computer while its turned on,a ter youve already entered your passphrase (even i the screen is locked or the comput-er is in suspend mode).

With an evil maid attack i the attacker has control o your computer while its turned of and you use it later on without realizing the attack has happened.

By learning your encryption passphrase or key with high-tech surveillance techniques(such as video surveillance or emanations monitoring).

A simple precaution against cold boot attacks at the border is available. You should alwaysturn o your computer (physically power o , not suspend or hibernate, and not just closing the lid) be ore crossing the border. I a computer is on and you have previ-ously entered the disk encryption passphrase, there are techniques or extracting it directlyrom the computers memory (even i the screen is locked). Powering the computer of pre-vents these techniques rom working.


14/24


Choosing a Disk Encryption Tool

Choosing encryption tools is sometimes chal-lenging because there are so many options avail-able. For the best security, choose aull-disk en-cryption tool that encrypts everything on yourcomputer rather than a le-encryption toolthat encrypts individual les separately. Tismay need to be set up at the time your operatingsystem is rst installed. Every major operatingsystem now comes with encryption options.

Microsoft BitLocker in its most securemode is the gold standard because it pro-tects against more attack modes than othersoftware. Unfortunately, Microsoft has onlymade it available with certain versions o Microsoft Windows.

TrueCrypt has the most cross-platformcompatibility.

Mac OS X and most Linux distributionshave their own ull-disk encryption so twarebuilt in.

For more detailed in ormation about the advan-tages and disadvantages o various tools, consultthe Wikipedia article on comparison o ull-diskencryption so tware.29

Choosing a Secure Passphrase

Unlike other passwords, cryptographic passwords speci cally need to belong and extremelyhard to guess. Tis is because a computer (or a cluster o many computers) can be pro-grammed to try trillions or quadrillions or more o possibilities automatically. I the passwordis too short or otherwise constructed in too predictable a way, thisbrute orce guessing ap-proach will eventually succeed in cracking the password by trying every possibility.

Approaches to choosing encryption passwords that dont take account o this reality are obso-lete. For instance, many users have historically been trained to use random passwords around7-8 characters and containing letters, numbers, and punctuation marks, like these:

1rThlr9 &&0H xEV iq#tW}i7 9/NKgKaI G>oX/7Ip s@;30:[E

Tese passwords are certainly hard to remember and hard or a human being to guess, buttheyresimply not sa e enough as cryptographic passwordsagainst modern crypto-cracking de-vices, which would easily be able to guess each o them. In 1999, EFF built a crypto-crackingmachine that could try 256 possibilities in under nine days.30 Tats about enough to try everynine-letter passwordmade o letters, numbers, and punctuation. Bear in mind that this was anon-pro t organizations proo -o -concept project rom twelve years ago! Its a certainty thatgovernment agencies can crack even longer passwords with ease today.

Fortunately, modern practice provides use ul alternatives. Instead o using a single word as an

Case Scenario: Documentary Film-maker

Bill is a lmmaker who has made severaldocumentaries over the past ew years

about the eforts o authoritarian govern-ments to suppress dissent in their na-tions. He traveled to a couple o MiddleEastern countries last year, and has acedheavy questioning at the U.S. border eversince. He is working on a new project in Tunisia, where he lmed interviews withseveral dissidents, and he wants to doeverything possible to protect the con-dentiality o this ootage. He needs totransport several hundred GBs o videointo the United States rom Tunisia. His

Internet access is not good, so uploadingit to a remote server is not a realistic op-tion. Bill chooses to store the encryptedvideo les on discs with a strong pass-phrase and asks a riend to mail them tohim in the United States. Then he secure-ly wipes his laptop and brings it back intothe United States with him.


15/24


encryption password, its now normal to use a long text called apassphrase .31 Arnoud Engel-riet de nes a passphrase this way:

A passphrase is a sentence or phrase used instead o a single password. Because o itslength, a passphrase is more secure than a password. By using a phrase, it still is easy toremember.32

While some traditional advice emphasizes (correctly) that one should not use a dictionary

word as ones password, modern practice shows that using multiple dictionary wordsin onespassphrase is use ul. Our calculations con rm that relatively short series o truly randomlychosen English dictionary words are secure; many people nd these somewhat more memo-rable. Te important thing is to chooseenoughwords and to choose themin a random way.A use ul technique or choosing secure passphrases withcombinations o words is calledDiceware ; this approach was devised by Arnold G. Reinhold.33 Te Diceware approach canbe carried out with actual physical dice, or using any o a variety o so tware applications, ando ers a complete recipe or making sa e and memorable passphrases.

A major advantage o passphrases made o words is that its o ten possible to think o a mne-monic that allows you to easily memorize your passphrase. Randall Munroes xkcd comicshows a typical example or the Diceware-like phrase correct horse battery staple34: a horse isbeing congratulated on correctly identi ying a staple protruding rom a battery.

Note: this phrase, while memorable, is likely not long enough to be truly secure againstcracking by specialized encryption-cracking tools or machines, since Munroes advicedoesnt aim to protect against this kind o attack. A strong passphrase would be longeror incorporate words rom a larger word list, like: exultantly barnacle slipshod Vancou-ver rumble. This is also memorable! The Diceware article discusses in more detail how toensure your passphrase is long enough.


16/24


Another popular modern approach is to use a phrase, sentence, song lyric, poem, or long acro-nym that has been modifed in an unguessable way, such as by changing the spacing, punctuation,spelling, or capitalization in an idiosyncratic way, or altering the topic o the text or combiningseveral unrelated texts together.35

When encryption passphrases are orgotten, the disk contents will become completely unus-able. By design, the disk encryption so tware author is unable to override or bypass the protec-tion. Some systems like BitLocker suggest making a spare copy o the passphrase and storingit somewhere sa e and inconspicuous, physically distant rom the computer it protects. Tereare also technologies or allowing multiple people to share parts o the passphrase so that itcan only be recovered i several o them cooperate (usually, implementations o Shamirs SecretSharing Scheme, such as the ssss36 and Secret Sharp37 so tware). I you worry that you mightorget your passphrase, you could use this so tware to securely split it into pieces and store thepieces in di erent places.

Border Agent Demands or Access to Data

I a border agent asks you to provide an account password or encryption passphrase or todecrypt data stored on your device, you dont have to comply. Only a judge can orce you toreveal in ormation to the government, and only to the extent that you do not have a valid Fi thAmendment right against sel -incrimination.38

However, i you re use to providein ormation or assistance uponrequest, the border agent mayseize your device or urther in-spection or consider you uncoop-erative, which the agent may takeinto consideration when decidingwhether to allow you to enter theUnited States.

I you are planning to bringencrypted or password-protectedin ormation over the border, itsbest to decide ahead o time howyou would respond to a borderagents request or help to inspectdata. Te best answer or yourparticular circumstance may beto cooperate or to politely decline to provide in ormation. You could also choose to avoid thesituation altogether by bringing a blank device over the border and downloading your data once

you reach your destination.Another option is to generate a long and not-very-memorable encryption password be ore yourtrip, and then have someone else hold onto it and send it to you later, a ter youve crossed theborder. Tis might be especially practical with a work computer i you have support rom an Idepartment at your workplace, because the I department could hold onto the password oryou and let you know it when you check in with them again.39

For more advice on dealing with agents at the border, see the section titledInteracting withBorder Agents.

TrueCrypt Hidden Volumes

The TrueCrypt encryption so tware tries to providedeniability by letting you create multiple en-crypted disks protected by separate passwords insuch a way that the existence o additional hiddendata cant be easily proven or disproven. These ad-ditional encrypted disks are known as hidden vol-umes . Although TrueCrypt hidden volumes mayhave some practical applications, we think theyare unlikely to be use ul in the border searchcontext because they are most help ul when lyingto someone about whether there is additional hid-den data on a disk. Lying to border agents is notadvisable, because it can be a serious crime.


17/24


Technology-specifc ConsiderationsFlash Drives

Flash memory devices (including USB fash drives and SD cards) are used as the internalstorage in most cell phones and digital cameras. Securely erasing their contents can pose anextra challenge because o a technology called wear leveling, which tries to prevent you romrepeatedly writing to the same place on the disk. Tat means that special orensic techniquesinvolving physically disassembling the fash drive can sometimes reconstruct contents that youattempted to overwrite, because the fash drive decided to put the overwriting data in a di er-ent physical location rom the overwritten data.40 Tis kind o orensic examination is muchrarer than basic disk orensics and is probably only a concern in a tiny number o situations.

Mobile Phones and Similar Devices

Devices like mobile phones increasingly hold tremendous amount o sensitive in ormation,including photos and email messages that just a ew years ago might have been ound only incameras and laptops. O ten, they contain lists o your riends and colleagues and detailed logso when you communicated with them. Some mobile phones also store detailed logs o yourphysical location over time.

Although setting a password on your phone can be a sensible precaution, its worth emphasiz-ing that the password and screen-locking eatures that come with most phones provide nomeaning ul protection against a skilled exam-iner. Tese passwords are like user accountpasswords on a PC, not like passphrases ordisk encryption; an examiner will not needto discover what the password is in order tobypass it.

Temporary Phones or Travel

I your mobile phone uses the internationalGSM standard (usually the case for non-U.S.mobile subscribers, or or U.S. customers o T-Mobile and AT&T Wireless), you can avoidtaking your normal phone on your interna-tional trip at all, even i you want to use yourexisting phone number.41 Just get a di erentGSM-compatible phone and transfer yourSIM card from your regular phone into thenew phone. Your temporary phone will havear less o your private data on it, but sinceyour phone number is associated with the SIMcard rather than with the phone itsel , youcan still be reached at your normal telephonenumber (assuming that you have chosen to en-able international roaming services on your cellphone account). When your trip is over, youcan swap the SIM card back.

Case Scenario: Activist Associa-tions

Vera has lots o riends who are involved incontroversial activism, and some o themhave had their laptops seized at the U.S.border. Vera isnt an activist hersel , butworries that the government will take aninterest in her i it learns that shes riendlywith people who are activists. She takesa travel laptop on an international tripwith the minimum in ormation necessary,leaving most o her data at home. Be oreshe enters the United States, she signsout o her Gmail, Twitter and Facebook ac-counts and makes sure that the passwordsarent stored in her browser. She also usesWhisperCores ull disk encryption appto secure the contacts, text messages,

and other content stored on her Androidphone. I asked or the passwords, sheintends to say no. She knows this mightcause the agents to seize the devices, butthey are unlikely to break the passwords,which are very strong. I that happens,Vera will still be able to access all the in-ormation on the devices because she hasstored it remotely.


18/24


Secure Deletion o Data and Disk Encryption or Mobile Devices

Its very hard to be sure that in ormation on mobile devices has been truly deleted. You mightchoose to delete information such as SMS messages so that they are not visible to someonelooking through your phone, but there is typically no meaning ul secure deletion option. Asophisticated orensic analysis may still reveal the contents o these deleted messages.

I your mobile device has a removable memory card such as an SD card, you can most securely

wipe its contents by physically removing it rom the mobile device and wiping it using securedeletion so tware in a PC.

In most cases, it may be better to travel with a separate mobile device that holds little privatedata rather than trying to rely on your phones security eatures to prevent border agents romreading private data.

I you pre er to travel with your everyday mobile device, it may support specialized encryp-tion so tware. Te most recent release o Android or tablets (but not mobile phones) has acomprehensive encryption option, while some Android devices can be protected with add-onso tware like WhisperCore (which requires a resh installation o the phone so tware). Whis-perCore also supports making a networked backup o a phones contents, securely erasing

them, and re-downloading them later. BlackBerry devices also have potentially e ective secu-rity options that may be able to protect data even against an expert; i you have an enterprise-managed BlackBerry, you can check out your user manual or ask your I department aboutthese eatures.

Digital Cameras

Agents may well ask to look through the contents o cameras, whether to try to disprove some-ones claim about where they traveled, in search o sexually explicit photographs, or simply outo curiosity.

Be aware that border agents may search your camera, copy its contents, or try to undelete im-

ages or videos that you believe youve deleted and that are no longer visible rom the camerasuser inter ace.42 Tere is no simple precaution against this, although low-level ormatting orlow-level overwriting a memory card in its entirety, using a computer and not a camera, shouldprevent undeletion; you should not rely on this unless youre amiliar with exactly what theormatting process is doing. (Notably, high-level ormatting o memory cards, or o hard drives,is totally ine ective against orensic analysis.)

Te same considerations apply to camcorders and to the camera in your mobile phone.

Interacting with Border AgentsBorder agents have a great deal o discretion to per orm searches and make determinations o admissibility at the border. Keep in mind that any traveler, regardless o citizenship status orbehavior, can be temporarily detained by border agents or more detailed questioning, a physi-cal search o possessions, or a more extensive physical search.43 Re usal to cooperate withsearches, answer questions, or turn over passwords to let agents access or decrypt data maycause lengthy questioning, seizure o devices or urther examination, or, in extreme circum-stance, prevent admission to the country.44

For this reason, it may be best to protect your data in ways that dont require you to have awk-


19/24


ward con rontations with border agents at all. I you nd yoursel in such a situation, however,keep these tips in mind:

Dont LieIts extremely important that you do not tell a lie to a border agent. Doing so is a serious crimeor which you may be prosecuted even i your lie was not told to conceal any wrongdoing.45 I you are absolutely sure that you dont want to answer a speci c question, its better to politelydecline to answer than to give a alse answer.

Dont Obstruct an Agents InvestigationOnce its clear that a border agent is going to search your device or other possessions, dont takeany steps to destroy data or otherwise obstruct that process. Like lying, knowingly inter er-ing with a border agents investigation is a serious crime.46 Write down the agents identi yingin ormation and collect a receipt or property i appropriate. Ten le a complaint or consult alawyer about getting the item back. (For in ormation on ling a complaint to CBP or ICE, seethe Appendix to this paper.)

CourtesyIts in your interest to be courteous to agents at all times during the border inspection process.CBP agents should also be courteous and pro essional while searching your belongings, detain-ing, or questioning you.47 I they ail to do so, you can le a complaint.


20/24


AppendixResources or International Travelers WithBorder Search IssuesProblems with or questions about an ICE or CBP examination?

I you have a question about CBP or wish to submit a ormal complaint about a CBP examina-tion, please go to .

o le a civil rights complaint against either CBP or ICE, you can le a complaint with the De-partment o Homeland Security O ce o Civil Rights and Civil Liberties. You may downloada complaint orm at .

Have you been repeatedly re erred to secondary screening? Do you sus-

pect your name is on a watch list?You may submit a complaint to the Department o Homeland Securitys raveler RedressInquiry Program at .

Want to know what in ormation CBP or ICE has on fle about you?

Anyone can seek copies o records about themselves through the Freedom o In ormation Act.You can use the Privacy Act to ask or the same in ormation i youre a U.S. citizen or law ulpermanent resident.

For in ormation about submitting a request to CBP, see .

o request records rom ICE, see .

Feel as though your privacy or civil rights have been violated during a bor-der search?

Please visit the Department o Homeland Securitys raveler Redress Inquiry Program tospeci y all scenarios that apply to your travel experience at .

Do you have urther questions?

Contact an attorney or help.
http://eff.org/https://help.cbp.gov/app/forms/complainthttp://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttp://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttps://trip.dhs.gov/http://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttp://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttp://www.ice.gov/foiahttps://trip.dhs.gov/https://help.cbp.gov/app/answers/detail/a_id/11/kw/border%20search/related/1https://help.cbp.gov/app/answers/detail/a_id/11/kw/border%20search/related/1https://trip.dhs.gov/http://www.ice.gov/foiahttp://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttp://www.cbp.gov/xp/cgov/admin/fl/foia/reference_guide.xmlhttps://trip.dhs.gov/http://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttp://www.ice.gov/doclib/secure-communities/pdf/crcl-complaint-submission-form-english.pdfhttps://help.cbp.gov/app/forms/complainthttp://eff.org/


21/24


Endnotes1 E.g., United States v. Arnold, 533 F.3d 1003, 1008 (9th Cir. 2008); United States v. Romm, 455 F.3d 990,

997 (9th Cir. 2006); U.S. v. Linarez-Delgado, 259 F. Appx 506, 508 (3d Cir. 2007); United States v. McAu-ley, 563 F. Supp. 2d 672, 979 (W.D. ex. 2008); United States v. Roberts, 86 F. Supp. 2d 678, 688 (S.D. ex.2000); United States v. Bunty, 617 F. Supp. 2d 359, 365 (E.D. Pa. 2008); United States v. Hampe, No. 07-3-B-W, 2007 WL 1192365, at * 4 (D. Me. Apr. 18, 2007).

2 See Electronic Device Privacy Act o 2008, H.R. 6588, 110th Cong. 2(a) (2008); ravelers Privacy Protec-

tion Act o 2008, S. 3612, 110th Cong. 4(a) (2008); Securing Our Borders and our Data Act o 2009, H.R.239, 111th Cong. 2(a) (2009).

3 U.S. Customs and Border Protection, Dir. 3340-049, Border Searches o Electronic Devices ContainingIn ormation at 5.1.2 (Aug. 20, 2009),http://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pd .

4 Id. at 5.3.1.

5 Id. at 5.2.2. (Other possibly sensitive in ormation, such as medical records and work-related in ormationcarried by journalists, shall be handled in accordance with any applicable ederal law and CBP policy.)

6 Id. at 5.3.2.2.

7 Id.

8 U.S. Immigration and Customs En orcement, Dir. 7-6.1, Border Searches o Electronic Devices (ICE Di-rective) at 4, 6.1 (Aug. 18, 2009), .

9 Id. 8.3.

10 In one instance, ICE held onto David Houses laptop, thumb drive, and digital camera or 49 days. Anaquaintance of accused WikiLeaks whistleblower Bradley Manning,Mr.House was returning from Mexicowhen agents con scated his electronic equipment. While the Justice Department conceded that it held ontohis laptop or longer than thirty days, it explained that [t]he lack o password access required ICE computerexperts to spend additional time on Mr. Houses laptop. Kevin Poulsen, Feds Defend Seizure of WikilLeaksSupporters Laptop, Wired Treat Level ( July 28, 2011) .

11 Id. at 8.4.12 ICE Directive, supra note [8], at 8.6.

13 United States v. Cotterman, 637 F.3d 1068, 1070 (9th 2011) (petition or en banc rehearing led Sept. 12,2011) (permitting agents to transport a laptop to a orensic laboratory almost 170 miles away rom the bor-der and keep computer or two days to continue inspection, but the government cannot simply seize propertyunder its border search power and hold it or weeks, months, or years on a whim.)

14 See, e.g.,United States v. Hanson, No. CR 09-00946 JSW, 2010 U.S. Dist. LEXIS 61204 (N.D. Cal. June 2,2010) (reasonable suspicion required to search laptop about two weeks a ter it was detained at the border andsent away or orensic analysis, and probable cause required to search laptop about our months a ter initialdetention at border); United States v. Stewart,715 F. Supp.2d 750, 754-55 (E.D. Mich.2010) (transportinga computer rom an airport to a remote location might result in an extended border search). However, both o

these cases rely signi cantly on United States v. Cotterman, No. 071207, 2009 U.S. Dist. LEXIS 14300 (D.Ariz. Feb. 24, 2009), which was reversed on appeal. 637 F.3d 1068.

15 ACLU, Government Data About Searches o International ravelers Laptops and Personal ElectronicDevices (Aug. 25, 2011),http://www.aclu.org/national-security/government-data-about-searches-interna-tional-travelers-laptops-and-personal-electr.

16 For example, Guidance So tware markets a popular orensic analysis tool called EnCase, which lets examin-ers acquire data rom a wide variety o devices, unearth potential evidence with disk level orensic analysis,and cra t comprehensive reports on their ndings, all while maintaining the integrity o their evidence. EnCase Forensic, http://www.guidanceso tware.com/ orensic.htm(last visited Oct. 4, 2011). Government
http://eff.org/http://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.wired.com/threatlevel/2011/07/househttp://www.wired.com/threatlevel/2011/07/househttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.guidancesoftware.com/forensic.htmhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.aclu.org/national-security/government-data-about-searches-international-travelers-laptops-and-personal-electrhttp://www.wired.com/threatlevel/2011/07/househttp://www.wired.com/threatlevel/2011/07/househttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.dhs.gov/xlibrary/assets/ice_border_search_electronic_devices.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://www.dhs.gov/xlibrary/assets/cbp_directive_3340-049.pdfhttp://eff.org/


22/24


agents have used this tool to recover deleted les when searching devices seized at the border. See UnitedStates v. Romm, 455 F.3d 990, 997 (9th Cir. 2006) ( nding the search to be reasonable under the bordersearch exception). EnCase includes extensive unctionality to help relatively non-expert users make sense o the contents o a hard drive, including, or example, nding and reading the content o email messages. Com-puter orensic tools will become more automated in the uture; see Simson Gar nkel, Automated ComputerForensics (available at ).

17 SpiderOak is a zero knowledge backup provider. Tis means that we do not know anything about the datathat you store on SpiderOak -- not even your older or lenames. On the server we only see sequentially

numbered containers o encrypted data.

18 Backups should be secure against attackers ranging rom script kiddies up to major world governments,even i they can compromise the systems on which the backups are being stored. Backups are supposed to bea tool or mitigating damage not a potential vulnerability to worry about!

19 [I]n stark contrast to most other online storage services, all your les get encrypted on your computer, sothat no one - including the employees at Wuala and LaCie - can access your private les. Your password neverleaves your computer.

20 Duplicity is available rom .

21 ahoe-LAFS is available rom .

22 See United States v. Seljan, 547 F.3d 993, 999 (9th Cir. 2008) (en banc).

23 Alexei Czeskis, David J. St. Hilaire, Karl Koscher, Steven D. Gribble, adayoshi Kohno, and Bruce Schneier,De eating Encrypted and Deniable File Systems: rueCrypt v5.1a and the Case o the attling OS and Ap-plications, available at .

24 See .

25 Undeletion is a standard, built-in eature o orensic products used by law en orcement and border agen-cies. It works reliably i deletion was done recently. It may work even a ter an operating system reinstallation(slack space), depending on how the reinstallation process works. (However, it typically doesnt work a terOS reinstallation i ull-disk encryption was used on the previous OS image, because the new operatingsystem will overwrite the decryption keys and make the old systems encrypted data unrecoverable.)

26 DBAN is available romhttp://www.dban.org /.

27 Czeskis et al. point out that the operating system and applications can leak signi cant in ormation about theexistence o , and the les stored within, a hidden volume:

[Tese risks] also seem applicable to regular (non-deniable) disk encryption systems in which only a subseto all the users entire disks are encrypted and in which a user does not deny the existence o the encrypted re-gions but does re use to divulge the passwords. [...] In summary with regard to disk encryption, in situationswhere there is a need to protect the privacy o individual les, the sa est strategy appears to be to encrypt thefull disk [...] For example, the authors found that Microsoft Word would periodically auto-save copies of adocument being edited. Even i the document being edited was located on an encrypted volume, Word couldplace the auto-saved copies on an unencrypted volume; even though they were automatically deleted, thesecopies could easily by undeleted by a orensic examiner. (In a similar vein, applications may create and store a

preview or icon version o documents and images they open.) Supra note [23].28 https://twitter.com /#!/csoghoian/status/75793191177166849 (4GB SD cards are cheap, can be destroyed

be ore going through US customs, and by taking out my [hard drive], my laptop battery now lasts 8 hrs.)

29 See .

30 See EFFs DES Cracker page:

31 For a use ul general discussion o passphrases, see Indiana University UI S, Passwords and Passphrases,available at , and Passphrases, availalbe at


23/24


bersecurity/sa eonline/passphrases>. Tese documents are not speci cally ocused on passphrases or diskencryption; bear in mind our warning, in ra note [34].

32 Arnoud Engel riet, Te Passphrase FAQ, available at .

33 See Reinholds Diceware page at .

34 xkcd #936, available at . Note that this phrase is likely too short or diskencryption use; Munroe calculates its strength at only 44 bits. Reinholds advice suggests using at least ve

random words or a passphrase or encryption purposes, when the words are chosen rom a list that includesonly simple everyday words. Exactly how long or unpredictable a passphrase needs to be to be secure againstcracking by machines is a complex question, and relies on speculation and assumptions about the capabili-ties o the organizations that will try to crack your passphrase. Some disk encryption systems can be sa eeven with relatively short passphrases because o how they use key stretching technologies; see . But you should not use this as an excuse tochoose a simpler passphrase unless you understand the precise technical details o how the disk encryptionso tware youve chosen uses key stretching. Note that this comic is licensed under a Share ADDI IONALNO E: licensed under a Creative Commons Attribution-NonCommercial 2.5 License.

35 Simply using a quotation or song lyric by itsel is not sa e because there are readily available lists o quotationsand lyrics, comprising only millions o distinct sentences. Tis is a tiny number or a computer to test. Yourpassphrase should never be identical to anything that has ever been published anywhere.

36 .

37 .

38 See In re Grand Jury Subpoena to Sebastien Boucher, 2:06-mj-91, 2007 WL 4246473 (D. Vt. Nov. 29,2007), appeal sustained by 2009 WL 424718 (D. Vt. Feb. 29, 2009); United States v. Rogozin, 09-CR-379,2010 WL 4628520 at **5-6 (W.D.N.Y. Nov. 16, 2010); United States v. Kirschner, No. 09-MC-50872, 2010WL 1257355 (E.D. Mich. March 30, 2010).

39 Tis should become ar easier and more routine in the uture, as suggested by Roxana Geambasu, John P. John, Steven D. Gribble, Tadayoshi Kohno, and Henry M. Levy Keypad: An Auditing File System for eft-Prone Devices, in Proceedings o the European Con erence on Computer Systems (EuroSys), Salzburg,Austria, April 2011, available at .

Geambasu et al. describe an encryption system where a network server, rather than an end-user, holds thekeys. Under normal circumstances, the server will immediately provide the keys to decrypt any le that auser wants to use, but the server operator can temporarily or permanently revoke a devices ability to requestdecryption keys ( or example, i the device is lost). When practical implementations o this system becomeavailable, they could be ideal or border crossings, because a server can turn o decryption key access or atravelers laptop at a given time and re-enable it only a ter the traveler has passed through immigration andcustoms.

40 Michael Wei, Laura M.Grupp, Frederick E. Spada, and Steven Swanson, Reliably Erasing Data From Flash-Based Solid State Drives (in Proceedings of the 9th USENIX Conference on File and Storage Technologies),available at . Wei et al. note that, [t]heinternals o an SSD [solid state drive] di er in almost every respect rom a hard drive, so assuming that theerasure techniques that work or hard drives will also work or SSDs is dangerous.

41 Not all mobile service plans support using your SIM card in a foreign country. If in doubt, contact your mo-bile phone carrier.

42 Deleted photos on cameras are generally not really erased, and can be trivially undeleted using a computerand widely available so tware. Undeleting photos rom a cameras memory card does not usually require spe-cial technical expertise or orensic training.

43 See Inspection o Electronic Devices, supra, note [19] at 1; U.S. Customs and Border Protection, ReasonsYou May Be Searched By CBP,https://help.cbp.gov/app/answers/detail/a_id/26/kw/border %20search(last visited Oct. 4, 2011).
http://eff.org/http://protect.iu.edu/cybersecurity/safeonline/passphraseshttp://www.iusmentis.com/security/passphrasefaqhttp://www.iusmentis.com/security/passphrasefaqhttp://world.std.com/~reinhold/diceware.htmlhttps://www.xkcd.com/936https://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttps://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttp://creativecommons.org/licenses/by-nc/2.5/http://point-at-infinity.org/sssshttp://sourceforge.net/projects/secretsharphttp://eurosys2011.cs.uni-salzburg.at/pdf/eurosys2011-geambasu.pdfhttps://db.usenix.org/events/fast11/tech/full_papers/Wei.pdfhttps://help.cbp.gov/app/answers/detail/a_id/26/kw/borderhttps://help.cbp.gov/app/answers/detail/a_id/26/kw/borderhttps://db.usenix.org/events/fast11/tech/full_papers/Wei.pdfhttp://eurosys2011.cs.uni-salzburg.at/pdf/eurosys2011-geambasu.pdfhttp://sourceforge.net/projects/secretsharphttp://point-at-infinity.org/sssshttp://creativecommons.org/licenses/by-nc/2.5/https://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttps://en.wikipedia.org/wiki/PBKDF2#Disk_encryption_softwarehttps://www.xkcd.com/936http://world.std.com/~reinhold/diceware.htmlhttp://www.iusmentis.com/security/passphrasefaqhttp://www.iusmentis.com/security/passphrasefaqhttp://protect.iu.edu/cybersecurity/safeonline/passphraseshttp://eff.org/


24/24

Documents

EFF Border Search Electronic Devices