With the current US administration pondering the possibility of forcing foreign travelers to give up their social media passwords at the border, a lot of recent and justifiable concern has been raised about data privacy. The first mistake you could make is presuming that such a policy won’t affect US citizens. For decades, JTTFs (Joint Terrorism Task Forces) have engaged in intelligence sharing around the world, allowing foreign governments to spy on you on behalf of your home country, passing that information along through various databases. What few protections citizens have in their home countries end at the border, and when an ally spies on you, that data is usually fair game to share back to your home country. Think of it as a backdoor built into your constitutional rights. To underscore the significance of this, consider that the president signed an executive order just today stepping up efforts at fighting international crime, which will likely result in the strengthening of resources to a JTTFs to expand this practice of “spying on my brother’s brother for him”. With this, the president also counted the most common crimes – drugs, gangs, racketeering, etc – as matters of “national security”.
Once policies that require surrendering passwords (I’ll call them password policies from now on) are adopted, the obvious intelligence benefit will no doubt inspire other countries to establish reciprocity in order to leverage receiving better intelligence about their own citizens traveling abroad. It’s likely the US will inspire many countries, including oppressive nations, to institute the same password policies at the border. This will ultimately be used to skirt search and seizure laws by opening up your data to forensic collection. In other words, you don’t need Microsoft to service a warrant, nor will the soil your data sits on matter, because it will be a border agent connecting directly your account with special software throug the front door.
I am not a lawyer, and I can’t provide you with legal advice about your rights, or what you can do at a border crossing to protect yourself legally, but I can explain the technical implications of this, as well as provide some steps you can take to protect your data regardless of what country you’re entering. Disclaimer: You accept full responsibility and liability for taking any of this information and using it.
The implications of a password policy are quite severe. Forensics software is designed to collect, index, organize, and make searchable every artifact possible from an information source. Often times, weak design can allow these tools to even recover deleted data, as was evidenced recently by Elcomsoft’s tool to recover deleted Safari history. Often times, the user isn’t even aware of how much content is still active and accessible, even if it’s not deleted. Once in an intelligence database, this can be correlated with other data, even including your interests, shopping habits, and other big data bought from retailers. All of this can be fed into even basic ML to spit out a confidence score that you are a terrorist based on some N-dimensional computation, or plot you on a K-nearest neighbor chart to see how close you plot to others under suspicion. The possibilities really are endless, and your freedom may someday depend on the results from machine learning algorithms
You might think that you can simply change your passwords after a border encounter, but what you may not realize is that a forensics tool is capable of imaging potentially your entire life from a single access to your account. Whether it’s old iPhone backups sitting in iCloud that can date back years, or your entire Facebook or Skype message history, once an API is wired into a forensics tool, that one moment in time exposes all of your historical data to the border agent – whatever is available on the server, which ultimately exposes all of your historical data to an intelligence database and many other countries.
With that said, the goal is to avoid exposing your account information at the border so that it can’t be stolen from you in the first place. This is a classic security problem like any other and requires you think of a border crossing as a security boundary and the system as an adversary; the goal is to increase cost to exceed their investment of detaining you and diverting government resources away from going after real threats to the country – not you. The key to mastering the art of protecting your data at a border is to forward plan for continuity of access outside of the constraints of the border crossing, while positioning yourself as if you were the adversary during this encounter. Think of it as pulling in a secondary payload once you pass a security boundary. There are a number of different ways to do this which can range from social engineering to compartmentalization of data. How you choose to do it depends on your data needs while abroad.
All of these suggestions attempt to provide a technical basis to get you to “can’t”; that is, so you “can’t” expose your own data even if you were compelled to. In my experience, “can’t” will often get you better mileage than “won’t”, however depending on the country you’re entering, it’s possible that “can’t” could also get you jailed. It’s your responsibility to decide what information you need to be able to expose if compelled or threatened; this, you can keep at the front of your memory, like passwords. Getting to “can’t”, however, is much harder than getting to “won’t”, and since you probably already know how to do the latter, I’ll focus on the art of “can’t”.
Obviously, you want all of your devices encrypted and powered off at the border. There are plenty of ways to access content on devices (even locked ones) if the encryption is already unlocked in memory. This is kind of a given, but I felt the need to mention it anyway. Encryption only gets you to “won’t”, of course, which is why it’s not a significant part of this post. Encryption alone won’t get you to “can’t”, but it is a good starting point. You could of course have someone else set a password for you but there’s very little benefit to this strategy. Protecting corporate secrets, however, might get you some mileage if it a company owned device.
Throughout this post, be thinking about the different layers of data. Your most personal crucial data is the data that you don’t want anyone to access; your inner-ring data. There are other layers around this, outer-rings of data that you consider sacrificial to certain degrees. Learning how to divide this data up before copying to your devices will help minimize the exposure of your content in the event all of your devices are compromised. Compartmentalizing your data into different layers is designed to help you organize what information you won’t be bringing with you, or what you will be protecting with various techniques discussed here or otherwise. Inner ring data that you must bring might be encrypted on a hidden VeraCrypt volume, for example; with outer ring data on the outer layer of the volume.
The first, and most common piece of travel advice an information security expert will give is to use burner devices when possible. This is because the best way to avoid having your data stolen is to simply not have the data with you, and to not bring any bugs back into your clean environment. In our threat model here, that also means that you cannot have any means to access the data remotely. For this reason, a burner device will get you only so far, but can still be an important ingredient.
Any data that you do not need to have with you on your trip should be backed up at home, including accounts and passwords that you won’t need to connect to while abroad. Ideally, use multiple drives and keep copies of the data at multiple sites, encrypted. If your house burns down (or is ransacked, if you’re arrested) while you’re away, you really want to have an off-site backup somewhere.
Properly wiped burner devices containing minimal data will reduce your exposure; one of the benefits of using a burner is that you’ve got a device that’s never been exposed to your most important data (your “inner ring”), but only your outer rings of data. You’ll also want to keep the burner devices isolated from accounts that could sync old data back onto them, such as old call history databases from an iCloud backup. It’s not just the data you’re putting on now that matters, but having a clean system with no forensic trace on it. Deleted records are never truly gone.
Typically, people use burner devices to secure their exit from a hostile country. The rationale is that your device may have been compromised at some point during your trip, resulting in malware or even an implant being installed on the device to provide persistent surveillance capabilities. So not only does a burner device help in providing a clean room to carefully place outer-ring data, but it is more useful when exiting, to ensure you don’t bring any bugs back with you. If you can discard it before getting to the border, then you won’t even need to give it a second thought.
Budget constraints may not make this possible, but keep in mind that your laptop could be seized at any time and kept for months, even by the US government. I’ve worked on such cases. It happens to innocent people. If you are overly concerned about your device being searched at the border, and can’t “burn” it, mail it to yourself at some discreet name and location, and overnight. Of course that has risks too. There are some great physical anti-tamper primers out there that can be used to help ensure security while in transit.
You will no doubt have some online accounts that you’ll need access to while abroad; if you can’t live without your Twitter or Facebook account, or access to your source code repositories, etc., the next important step is to activate 2FA for these accounts. 2FA requires that you not only have a password, but also a one time use code that is either sent to or generated by your device.
2FA in itself isn’t a solution, as many forensics tools can prompt the examiner for a 2FA token, and you can potentially be compelled to provide a token at the border. This is where a bit of ingenuity comes into play, which we’ll discuss next. The takeaway from this section, however, is not to bring any accounts across the border that don’t have 2FA enabled. If you are compelled to give up any password, you’re giving away access to the account data.
Any accounts that you cannot protect with 2FA are best left to burner accounts with only outer-ring data,, but bear in mind that simply deactivating an account doesn’t protect you. With the same password, a border agent can easily re-activate a dead account, and without the 2FA usually. Should they obtain knowledge of the account through forensic technique, etc., you may still risk exposure.
Locking Down 2FA
There are a few different forms of 2FA, but all generally provide you with backup codes when you activate it. Store these backup codes either at home (if coming back into your home country), or forward them on to a safe place in electronic or physical form where you know you can get to them securely from the other side of the border. If you must use snail mail, encipher them using one of many ciphers that can still be done by hand. Other options include use of steganography, secure comms with an affiliate, or hardware token.
To lock down 2FA at a border crossing, you’ll need to disable your own ability to access the resources you’ll be compelled to surrender, but in a way that lets you pick it back up shortly after passing the security boundary. For example, if your 2FA sends you an SMS message when you log in, discard the SIM for that number, and bring a prepaid SIM with you through the border crossing; one with a different number. SIMs are usually cheap or free, so you can pick a replacement up easy enough, or even keep an extra one on the other side of the border (such as at home, or mailing it to your hotel). If you are forced to provide your password, you can do so, however you can’t produce the 2FA token required in order to log in. Purchasing a prepaid SIM in a foreign country is a fairly common behavior. You won’t need to lie to an agent when you tell them that it won’t work from that phone, until you get back home.
If you use an authenticator application, such as Google Authenticator or 1Password, delete the application from your devices. Worse case scenario, the border agent can force you to re-download the applications, but you won’t be able to re-provision them without the backup codes you have waiting for you on the other side. There is a social element here, of course, such as “oh, I can only access my account from my home computer, I’m sorry, I don’t have it installed on this phone. I guess I’m locked out too!”
One other step could be to change the 2FA to a friend’s number, or that of your lawyer, and instruct them to only give you the code if you inform them you are not being detained at a border crossing. This has the added benefit of convincing the border agent to let you call your lawyer.
Locking Down Email
Once 2FA fails, preventing you from accessing your own accounts, a border agent may attempt to access your email to reset the accounts. Ensure that your devices have all been signed out of your email, and that no passwords are stored on the device. Ideally, use a completely different email account to provision your accounts – one that is not normally synced with your devices, and one known only by you. This is sound security advice too for protection from everyday phishing.
You can go through the same dance to lock yourself out of that email account as well, of course, making those backup codes only available to yourself on the other side of the border. The 2FA for that email account can forward to some dead account that you’ve long since closed, or take this as far as you want to go with it. Chances are a border agent is only willing to go so far down the rabbit hole before giving up, but YMMV. It’s best to have a dead end somewhere that even you can’t recover from, but have many offsite recovery hooks to.
Data Redundancy and the Cloud
While you may wipe your devices of personal data, a traveler often needs at a minimum access to their basic contacts and calendar. This information can be synced in iCloud; before arriving at the border, wiping your device will remove all of your personal information, including iCloud data, from the phone. Once you’ve arrived at your destination, using your 2FA backup code to re-sync your iCloud content will give you back your minimum working data to be functional again. This could be as simple as giving your friend a code and calling them later, or posting it using stego somewhere.
Your iCloud information is, of course, subject to warrants, however border crossings often go by much looser rules. The probability of obtaining a warrant is generally going to be low at a border crossing, unless you’ve got reason to believe otherwise, but there are also rules involving what soil your data sits on (rules that have been pushed on recently, mind you, in this country). Keeping your data in any online system will no doubt expose it to a warrant, but that’s not what we’re trying to protect ourselves from here.
I’ve written about Pair Locking extensively in the past. It’s an MDM feature that Apple provides allowing you to provision a device in such a way that it cannot be synced with iTunes. It’s intended for large business enterprises, but because forensics software uses the same interfaces that iTunes does, this also effectively breaks every mainstream forensics acquisition tool on the market as well. While a border agent may gain access to your handset’s GUI, this will prevent them from dumping all of the data – including deleted content – from it. It’s easy to justify it too as a corporate policy you have to have installed.
Without pair locking, giving UI access to a border agent allows them to image much of the raw data on the device, which ultimately can give them a six month or even a twelve month picture of your activity, rather than just what’s available from the screen.
Now, backup encryption is a great mechanism, and this too will break forensics tools, but you can also be compelled out of a backup password. If you are, all of the social media account passwords and other information can be extracted from your device. This is why I recommend pair locking In addition to backup encryption: It completely prevents any such tools from connecting to the phone, even if your device UI and backup password have been compromised.
Of course, this means that you also can’t carry the pairing records around with you on the laptop you’re crossing the border with. These pair records, found in /var/db/lockdown on a Mac, need to go in with the backup codes and other files you have prepared for yourself in advance. There are also configurator certificates that shouldn’t be present on your travel device – pair locking should be done from a home or work computer that is outside of the constraints at the border.
If any of your devices include fingerprint readers, it’s best to disable them and delete your prints before going through a checkpoint, for obvious reasons. Of course, this really plays into the position of “won’t” versus “can’t”, if you can still be compelled to give up your device passcode. Nonetheless, it raises the bar considerably, even against warrants, which can compel a fingerprint in the US, but in most cases cannot compel a passcode. Be advised, there is much surveillance in airports and other public places, so entering a passcode is a bad idea, as you’ll leave surveillance footage.
Misdirection vs. Lying
I never recommend lying to a border agent, no matter what country you’re in. Misdirection is also a far better alternative to securing your data. If, by happenstance, you’ve set up your security so that you cannot access what they need yourself, this in my opinion is far better than simply telling someone that you don’t have a social media account. Everything that you say and do may end up in a file on you for next time you pass through the border, and if you’re found to be lying, you’ll be denied entry.
Setting up false personas is one possibility, however many future forms are likely to ask you for all of your accounts, rather than one of them, just like they do personal aliases. Maintaining false personas is not hard to do, but unless you’ve masked your identity online for the past few decades, likely isn’t going to get far – especially if you’re verified on Twitter or use your real name on Facebook; two great ways to give up plausible deniability. Multiple personas may make it easier to disappear into obscurity than false personas; multiple accounts all using your name presents the illusion of name collisions, but even when that’s impossible, it’s easy to justify no longer having access to old accounts, or creating new accounts when old ones are hacked, etc.
Get your method down before you leave home. “My Twitter account only works from my home computer” is an honest and accurate response, and much better than getting caught in a lie later on about not having a social media account. Remember, many countries have access to open source social intelligence and already know the answers to some of the questions they ask you. LE social media APIs are often searchable and can easily locate you.
Use Your Brain
Depending on what country you’re trying to protect yourself in, it’s most important to use your brain and know what the country’s laws are. It’s easy to poke your chest out and refuse to give up any information, but that’s not always the path of least resistance. Disavowing yourself of your ability to access your own data, temporarily, or playing dumb and computer illiterate, may give you better results on a security level, but remember the beaten-with-a-wrench policy typically overrides a lot of your own politics. If you’re going to be serious about protecting your data, then that means you also need to consider and weigh the consequences of that.