Guest Post: Going Abroad? Remember Your Digital Hygiene
As more and more travelers have begun carrying their cellphones and laptops abroad, the searching of these and other electronic devices by customs inspectors has become a contentious issue. On Jan. 4, U.S. Customs and Border Protection (CBP) released an updated directive to its workers on the searching of electronic devices at border crossings. According to CBP statistics published on Jan. 5, the agency processed 397 million international travelers in fiscal year 2017 and searched 30,200 devices. This is an increase from the 19,051 device searches in fiscal year 2016, which recorded 390 million travelers. CBP noted the percentage of searches rose from .005 percent in 2016 to only .007 percent in 2017. But because of the increasing amount of personal information on these devices, travelers have been pushing back against these intrusions.
In September 2016, the American Civil Liberties Union (ACLU) and the Electronic Frontier Foundation (EFF) filed a lawsuit against the Department of Homeland Security on behalf of 11 travelers whose phones and laptops were searched at the U.S. border without warrants. The lawsuit asserts that the Fourth Amendment to the U.S. Constitution should govern the border searches and therefore customs agents should be required to obtain search warrants. However, based on case law and a long history of international law, the lawsuit faces an uphill battle because border inspections traditionally have been treated separately from searches in criminal investigations that are governed by the Fourth Amendment. Sovereign countries have long had the ability to control commerce at their borders, and customs inspectors have had wide leeway to search goods and travelers' belongings for contraband at the border. Even citizens have less of an expectation of privacy at an international border crossing or a border zone than inside the country.
Because of these rulings and understandings, it is unlikely that the lawsuit will cause a massive legal change. But even if it did, it would change only U.S. policy and would have no impact on other governments, which follow similar, or even more aggressive, guidelines on searching electronic devices. The updated CBP directive serves as a great reminder of how incredibly vulnerable personal and proprietary business information in electronic devices is during international travel.
What Is and Is Not Covered?
Under the CBP order, customs inspectors have the authority to conduct a basic search of any electronic device without having probable cause of a crime or even suspicion of a crime. Devices are defined not only as computers, phones and tablets, but also as digital storage media, including external hard drives and thumb drives. Such a search is confined to information on the device, and it cannot be used to retrieve external data, such as that stored in the cloud. Officers will ask the owners to disable their device's internet connectivity during such a search. The basic search consists of the officer reviewing the contents of the device with his or her eyes.
Travelers can be compelled to provide passwords for the devices. Foreigners who refuse to provide the password to unlock a device or decrypt data on it can be denied entry to the United States. If a U.S. citizen refuses to provide the password, the device can be retained for up to five days, but the citizen cannot be denied entry to the country. CBP personnel are ordered to destroy passwords after using them to unlock the device. If after a basic search, the CBP officer develops reasonable suspicion that a device contains evidence of a violation of the law, or of a national security concern, the officer must contact a supervisor to request an advanced search, which is defined as one using external equipment to review, copy or analyze the device's contents.
But again, these guidelines pertain only to the CBP. The customs officials in other countries have similar policies when it comes to searching the electronic devices of international travelers. In many parts of the world, the authorities have broad leeway to inspect electronic devices, either at a border or elsewhere. Indeed, it is not unusual for travelers to have their hard drives imaged or accessed when passing through customs or copied surreptitiously when left unattended in a hotel room. Most intelligence and security agencies have "unlimited data plans" when it comes to collecting potentially valuable information, and travelers should protect their information accordingly.
Protecting Your Privacy
The ACLU-EFF lawsuit notes quite correctly that "People now store their whole lives, including extremely sensitive personal and business matters, on their phones, tablets, and laptops." And this is the first problem from my perspective. People simply should not carry that much sensitive information with them when they travel. Indeed, I would bet that a large majority of the traveling public isn't even aware of everything they have in their phones and laptops. In the past I've said that most people are unaware of what they have in their wallets or purses and noted that this lack of awareness makes it difficult to reconstruct what personal information was in their wallets or purses. This problem is magnified exponentially when it comes to the gigabytes of data stored on smartphones and computers, especially when those devices are used to connect to social media, online banking and shopping, and other services. Border searches by the authorities are not the only threat to this data. It is not unusual for travelers to have their devices stolen, and then the data can be exploited by criminals.
Besides personal information, proprietary business information is also a hot commodity. The Chinese government publicly stated that it was trying to acquire critical technologies by whatever means necessary when it established its 863 program, set up in 1986 to stimulate the development of advanced technologies. In addition to its normal appetite for weapons-related proprietary information, the Russian government recently announced that it was launching a program to develop its internal capability in 77 key technologies. The Russians will likely accomplish a good deal of this "development" by stealing the technology from others rather than starting from scratch. And Russia and China are only two of the many countries that have an interest in looting proprietary information to help them develop their industrial bases. The bottom line is that no matter your business, you probably have proprietary information of interest to someone, and it is vulnerable during travel.
To remedy this vulnerability, we've recommended for many years that people leave their primary computers and phones at home and carry alternative devices when they travel — especially abroad. These travel devices should contain only the personal or business information required for a specific trip. It is also not a bad suggestion to place any files you need for a trip on a file-sharing site in the cloud and in an account set up for that trip. Some people recommend carrying your data on a SD card, which you can hide in your possessions or clothing. But I believe that looks too much like espionage activity — and it is safer to simply park the data on the cloud. Furthermore, with the enhancement of security technologies inside air terminals, certain screening machines will be able to detect a hidden storage device.
What's the Password?
Another concern is password security. In a situation in which you can be compelled to provide a password to unlock your device, it is doubly important that you not use the same password for multiple devices and accounts, because that one password can be the key to everything. It is far better to use separate passwords. Password managers are helpful tools, but if they reside on your device, they are vulnerable during a border search because people can be forced to open even encrypted files. Because of this, only take the passwords you need for your trip, and ensure they are robust and unique.
Beyond the concern about having your personal or business information compromised just once, there is the danger that a government or other hostile actor will place malware on your devices to give them access to the information you add later. There is also software that can turn your phone, laptop or tablet into a mobile spying device for eavesdropping on your business meetings and other activities. Due to this, I recommend that you not trust devices that have been out of your possession, and leave them outside the room during sensitive business meetings.
Because of the malware threat, we recommend that your travel equipment be wiped and reformatted after each trip and that it never be connected to your corporate or home networks where it can spread to other devices. Digital hygiene is very important.
Finally, when considering international travel with electronic devices, it is important to understand that some commonly used electronic items are restricted in certain countries and possession of them can land a traveler in hot water. For example, satellite phones are illegal in China, Iran, Cuba and Myanmar. Russia and India also have laws regulating satellite-enabled devices, including such personal tracking devices as inReach and SPOT. It is best to check the local laws before you travel.
And, by all means travel for fun and profit, but make sure you travel wisely.
The views and opinions expressed in this guest post belong to the author, who is responsible for its content, and do not necessarily reflect the views of Telios Law PLLC.
Posted with thanks to Stratfor's Threat Lens.
Written by Scott Stewart, VP of Tactical Analysis, Stratfor.
To view the original article, click here.
Because of the generality of the information on this site, it may not apply to a given place, time, or set of facts. It is not intended to be legal advice, and should not be acted upon without specific legal advice based on particular situations