Uh Oh: TSA Can Search Laptops
A US Ninth Circuit court ruling this week has asserted that computers are like luggage and are therefore subject to searches at borders and airports. This is a scary revelation for anyone in the computer industry who is practically inseparable from their laptop.
Unlike luggage, a laptop is a vessel for storing sensitive corporate data, personal financial information, and in many cases, just about everything a person has ever done (I, for example, have email archives dating back to 1996).
This is yet another reason to start protecting your data using applications like PGP Whole Disk Encryption (for whom I used to work), or Open Source alternatives like TrueCrypt. However, given that a state court has already ruled that the TSA can’t force you to divulge your passphrase, I have to wonder how long it is before the TSA lobbies for a software equivalent to the ominous TSA travel locks?
Another option is to store sensitive data somewhere in the “cloud” and not on the laptop. We’ve been advised to keep all sensitive data on the corporate network, and to remote in to access it. For home users, one of the many internet storage solutions (depending on how much you trust them) or somethig like a Windows Home Server could be a solution.
totally creepy. too bad most of the tech world is too selfish to care about public policy.
I don’t think encryption is a solution, if they search your laptop and they find encrypted disk or encrypted data then you are in trouble, if you don’t release your password they can take your laptop for indefinite amount of time…!
Truecrypt is a good solution since use the hidden volume technique.
I believe the best solution is to encrypt your files and store it online.
Then just go around with your laptop without any sensitive data on it.
There’s another interesting dimension to this that occurred to me while discussing this with Ashley: what’s the liability for the user or the company for information exposed due to a TSA search?
For example: I have a lot of data on my laptop from my various employers, with whom I have signed non-disclosure agreements. These agreements are legal contracts that obligate me to not disclose proprietary information owned by the company. Now, let’s say the TSA is searching my laptop and decides to access this sensitive data – at this point, I have now violated my non-disclosure agreement. But I didn’t have any choice. Am I liable?
Another example: Many of the US states now have data breach laws modeled on California’s SB-1386. These laws require companies to not disclose customer’s non-public personal information. Disclosure of this information requires the company to notify the customer, a process which is usually complicated by the fact that the precise customer who has had their information disclosed is not known (think of a laptop with hundreds of customer records on it). The result is an expensive legal and PR debacle for the company. Now, again, the TSA decides to look at some of the customer files on my machine as part of their search. Am I, or my company, liable for this “breach”?
The larger issue here is that this is the beginning of a dangerous precedent. The next logical step is for the TSA to note “Oh, we can’t possible search an entire machine in the time we have at the border. We need to be able to take a complete copy of your drive – that way, we can search it later.”
Giorgio and Matt have the right idea – storing the data in the cloud. However, that’s problematic for most travelers. Think about sales guys who need access to their data on the road. Sure, there are ways around this (wireless/cellular modem cards), but it’s yet one more complication that business would rather avoid.
Looks like the EFF is stepping up the pressure to have hearings on laptop search procedures. In the meantime, they’ve issued recommendations on how to keep your laptop from being searched.
Maybe I’m a bit naive but I’m not a full time computer guy. My response to this, however, was “who cares”? Do you seriously think the border guard is going to look for, recognize, copy, and nefariously use your work-related data while searching your laptop for kiddie porn or terrorist propaganda? There is a tendency toward paranoia amongst computer people who seem to believe everything needs to be super secure just because someone *could* possibly access it one day. People *could* whack you in the head with a hockey stick but you don’t go around through life wearing a helmet all the time.
The upshot of this is that those of us who simply want to use computers get really annoyed at having to type in all sorts of stupid passwords every freaking time we want to do anything. The truth is that NO ONE WANTS WHAT YOU HAVE ON YOUR LAPTOP! Even if you happened to have a file entitled “Credit card and banking information with associated pins” it’s unlikely the border guard cares. Your all time high score on Minesweeper or Scorched Earth is certainly safe and your work-related material won’t be up on YouTube courtesy of customs any time soon.
@William: Sorry, but you are being naive here.
In some cases, even exposing access to some types of data is sufficient to trigger liability, especially in cases where this data is that of customers, employees, or patients. Whether or not the TSA crawls through every file is immaterial. Why do you think all those companies are getting their asses fined for losing laptops – even though there’s no proof they fell into nefarious hands, or had the data on them compromised?
This, by the way, is not being driven by computer people – although I think they have a better understanding than most on the ways information can be used as a weapon. In fact, the paranoia is being driven by lawyers. It’s being driven by giant lawsuits that cost companies millions of dollars when someone from accounting loses a laptop with employee names and Social Security numbers – numbers that can be used to enable identity theft. It’s being driven by the massive PR nightmares that befall any company that loses a backup tape off the back of a truck. It’s being driven by technology companies whose intellectual property is extremely time sensitive in a market that is becoming more and more competitive.
You make a good point, however: it’s not reasonable for the TSA to look at, recognize, and copy every file. That’s why this is a dangerous move – it opens the door to the next logical argument you’ll hear from the TSA: “To protect the US, we need to copy everything on people’s drives as they come in and out of the US, after which the data will be examined more thoroughly.”
It sounds ludicrous, but then again so does wiretapping the phone calls and email of normal citizens without a warrant.
Your central thesis is a variant of the old “if you don’t have anything to hide, you don’t need to worry about this” chestnut. Computers have become the vessels for our private thoughts and lives – humans inherently have a need for privacy. Poor you, the passwords are annoying? Turn them off then. And while you’re at it, why not stop bothering to lock your home and car doors, and leave the blinds in your bedroom open?
After all, you’ve got nothing to hide, right?
I’m not saying “if you don’t have anything to hide, you don’t need to worry.” I’m saying the odds of anything bad happening are so infinitesimal as to be unimportant. It’s like driving down the 401 (or whatever passes for the 401 in Vancouver.) The speed limit is 100 and everyone, including you, is doing 120. Yes, the cops *could* pull you over. Very occasionally, they actually do pull someone over. In reality, however, you could commute every day down that highway, speeding all the time, and go through five full lifetimes without ever being given so much as a warning.
The sheer amount of stuff out there makes it very unlikely that the “time sensitive” data a given company has on the laptop of one travelling employee will ever be noticed, let alone fall into the hands of a competitor.
And, yes, I do often leave my house and car unlocked. If I put the blinds down on my window it’s for the benefit of any passers-by rather than for my benefit. Besides, the nearest neighbours are 400 forested metres away in any direction.
I think you miss part of my argument: for many users, providing the TSA with access to your data, however superficially, is a problem. Not because the TSA necessarily does anything with it, but because you, due to your own legal obligations, are liable for disclosing that information under any circumstances.
As for “time sensitive” data – guess again. I was in Illinois at Motorola two years ago, and one of the information security guys noted that the delta between the Motorola RAZR coming on the market and copycats hitting the market was on the order of months. If the plans for the phone had gotten out prior to the launch, it could have cost Motorola tens of millions of dollars. There are international data thieves that trade exclusively in stolen data. Heck, I’ve even heard stories from customers whose executives were the victim of a targeted theft of their laptop.
People with unchecked power are prone to abusing that power, and information is the ultimate power. Is the chance of exposing sensitive data in this manner small? Sure, but the ramifications in the case it gets out of your hands are large in a world where a $20 flash drive the size of a gumstick can store 2GB of data, and networks can move large amount of data around the world instantaneously.
Cardinal Richelieu once said “If you give me six lines written by the hand of the most honest of men, I will find something in them which will hang him”. What if he had a whole hard drive?
It’s not the TSA that searches laptops, it’s the CBP at international gateways.
Good point, it is Customs and Border Protection (CBP), as explained on the TSA blog: http://blog.tsa.gov/2010/01/can-tsa-copy-your-laptop-hard-drive-and.html
Then again, I’m not sure that should make anyone feel any better. It’s only a matter of time before the same logic is used to extend the same allowances from the borders to domestic travel.