Prevention measures against laptop seizure at US borders

Question

Since laptop and other electronic device seizures at US borders became legal without a warrant (including making copies of data), 7% of ACTE's business travelers reported being subject to a seizure as far back as February 2008.

What measures have IT departments taken since to protect sensitive corporate data, and are there any estimates of their (aggregate or individual) costs? I've only found this article about the economic costs of laptop seizure, but no figures are mentioned.

Answer 1

The ANSSI, French government service in charge of IT security, has published a document providing brief advice to people having to travel abroad.

Relevant here are the advisories concerning preparation before travel:

1. Review the applicable company policy,
2. Review destination country applicable laws,
3. Prefer to use devices dedicated to travel (computers, smartphones, external storage etc.) and not containing any data not strictly needed for the mission,
4. Backup all of your data before leaving and keep the backup in a safe place,
5. Avoid taking any sensitive data at all, prefer to use a VPN (or a specially set up secured mailbox where all data will be deleted after retrieval) to retrieve the data securely (this is one of the most on-topic pieces of advice, since this one prevents any sensitive data from being present on the computer when crossing the border),
6. Use a screen filter to avoid shoulder surfing during travel,
7. Apply a distinctive sign on the computer and accessories (like a sticker, do not forget to put one on the computer bag) to facilitate tracking and avoid any accidental exchange.

The linked document then goes on with other advice concerning the rest of the trip but this is less relevant regarding the current topic. Sorry to provide French documents as a source, but the ANSSI is an authoritative source in France and I felt it could be a worthy addition to this discussion since these advisories seem to properly address the question.

Edit:

As some comments and the very useful answer from Spehro Pefhany below pointed out, there are two other things which should be noted:

• If your computer is seized, if you are requested ciphering keys and password, do not put up any resistance since it may lead you into legal trouble (I suppose you are traveling with some sort of mission, it would be too bad for the mission to be canceled because you were not in measure to attend the meeting or respect some contractual engagements. Customs may have plenty of time, you may not.) However, immediately inform your company IT staff and managers so due actions can be taken (revoking corresponding accesses, passwords, certificates, etc.) and discuss the issue with them to determine the way to proceed since the seized then returned devices may not be trustable anymore (impact and mitigation directly depends on the nature of the mission).
• Customs are a two way passage. When preparing your luggage for the return travel, ensure that you have properly cleaned up you devices (again, not only the laptop: all devices including cellphones, external storage, etc.): send your data to your company (in a ciphered form, again either using a VPN or a secured one-time email account) then wipe the files using appropriate software, delete browser's history/cache/cookies, delete OS temporary files, delete call, messages and voicemail history, delete information about used networks (Wifi accesses, proxies, etc.).

And while I'm at it, good advice for the traveler:

• Be careful when you are offered any external media like a USB key or a CD. Be careful too when exchanging documents with other people using writeable external media (as a reminder, the write protection on SD-cards is software only and therefore cannot be trusted),
• Do not plug your cellphone into the free public USB chargers, which are becoming more and more frequent in places like airports,
• No matter if your devices have been seized or not, do not plug them back on your company network unless they got at the very least a thorough check.
• At your return change all passwords which were used during your travel.

Answer 2

A useful and practical guide to securing information devices when crossing borders is provided by the Canadian Bar Association here. I would not say the U.S. border is the only one of concern, others such as China might eventually become similarly aggressive (though I've seen little sign of that to date).

The guide echos many of the points made in other answers (avoid having anything sensitive on the machine at all if unnecessary (preferably keep your travel computer forensically clean), do not make it any easier than necessary for the drive to be imaged, consider encryption, back up data where you can get it so it doesn't impact your livelihood were the device to be confiscated for an unknown length of time).

One important point is that if you lose control of your device at a frontier checkpoint, you should treat it as infected with spyware from that point forward.

You should have a backup of your smartphone available (not necessarily with you). Smartphones can hold a wealth of information- it might be worth it for frequent travelers to have a separate cellphone of the same type as their main phone and transfer the SIM card between phones. By default your phone can show a nosy person all the places your phone has stopped in the last couple of weeks, on a map, and if your neighborhood cinema (say) happens to be next to something provocative, it could arouse unnecessary suspicion.

Of course this applies to ordinary folk engaged in sensitive (perhaps unpopular or commercially valuable) but legal activities. If you're actually doing genuinely bad stuff this probably won't cut it (and that's fine).

It's also important to remember that your devices can be searched upon return to your home country. The mere presence of certain technical documents on your computer under the wrong circumstances can cause you to be at risk of many millions of dollars in fines and perhaps a decade behind bars because you would be deemed to have 'exported' them. The risk level probably goes up greatly if you have clearances that allow you to have privileged access to such documents and your itinerary looks odd-- to a border guard.

Answer 3

The best way to protect against that type of border search is actually not to have anything suspicious on the hardware you take through the custom.

Using encryption technology will most likely raise suspicion in the first place. Refusing to provide the necessary codes can, in some places, leads to the hardware being confiscated or even to you being arrested. Of course, that is highly dependent on which border you're actually crossing: in some part of the world, you're more at risk from petty theft than from government-sanctionned casual spying.

For the US, the EFF has a nice article regarding this specific issue highlighting a number of practical way to reduce your exposure (removing the data drive, storing data on a networked server, using a "travel" laptop, etc.)

For other countries and legislation, it has a lot to do with the local laws (and practices) so some research is most likely necessary.

Answer 4

Full disk encryption is the most common one used. The cost would depend on the time which needs to be implemented by the IT department ontop of normal laptop staging. However in my experience FDE is a must for any organization taking its security serious.

Aside from that there are also some really anti-forensic tools, I remember a talk at Brucon where one of the speakers has had issues in regard to that and provided some tools to patch Truecrypt and have some anti-forensics.

Now in regard to situations where entry would be denied, you would have to rely on a risk assessment which is performed by your internal security office. They should define what should happen in such a case, which is either leave the US or surrender your keys.

Also note that recently U.S. District Judge Amy B. Jackson has issued the government a long overdue smack-down in this regard. While her ruling is based on the particularly egregious circumstances of this case (waiting for someone to leave in order to get around a warrant, seizing the laptop without searching it and transporting it to be imaged and forensically analyzed, the flimsy tip, and the lack of any allegation of a current crime), she resoundingly rejects CBP’s assertion that it needs no suspicion to do whatever it wants at the border regarding digital devices.

Answer 5

I have two solutions. Both require Full Disk Encryption (FDE).

First Solution

Credit to Bruce Schneier.

1. Just before leaving home, create a second key. Type it with your forehead, a cat or dog, just so it's random and not possible to remember.
2. Send the second key to a trusted person, preferably someone with a privileged relationship, i.e. lawyer, priest/preacher (get your IT guys ordained over the internet, Instant Privilege!), and test to make sure it works.
3. Shred or destroy all copies of the new key.
4. Be productive on the flight home, then delete the key you normally use.

--Don't lie to customs, it may be a crime in many places. Even show them this article.

--Explain that they can confiscate and/or copy the laptop, but they will have to go through the courts to be able to see the data. Only explain the last part if you have to. Don't be a dick.

5. After customs, get your random key back, add usual key.

Second Solution

With FDE, send non-memorizable keyfile to your destination also send or keep a copy with a trusted person.

Or Ship laptop and keep decryption keyfile on a tiny USB drive. keep it in your carry-on or, if you're paranoid, in one of many skin folds or orifices.

Answer 6

The most efficient approach I can imagine is the following:

• Boot from a USB media
• Mount a hidden encrypted volume located on internal media
• Leave boot media at home
• Use a screen saver which upon seeing a secondary password will cause a system crash.
• Have a bootable system on the internal media using the secondary password as login password.

There is a few caveats to this approach. First of all, if you run out of battery, all data on the laptop will be inaccessible until you can get a new boot media. If the system on the internal media is ever booted, it may overwrite some of the encrypted data, so in that case you would need to consider your encrypted image lost.

The data loss in that case is no worse than in case the laptop is stolen. And the protection you need in both cases will be the same, you need to have a backup of your data in a secure location.

Additionally, you need to be aware that some (maybe all) storage encryption implementations have a weakness in that the key and some confidential data remains in RAM while suspended. For security upon suspend the key should be wiped from RAM after all other data in RAM has been encrypted. It needs to be such that upon waking from suspend the only thing the machine can do is to accept a screen saver unlock password, which will decrypt the RAM, or it can accept the secondary password causing a crash. (Some of the implementation details can be varied about from what I sketched here, and still remain secure.)

Hibernation is less secure, because you don't want to leave data on the internal media, which gives away the existence of the above constructions.

Answer 7

Full-disk encryption, three-level.

First level: secure boot to the OS. Normal counter-measures (two flash drives/CD for bootloader signature verification, USB-AES passthrough devices and TPM/UEFI signing where applicable).

Second level: inner container with data - split it into two parts (each 128 KB of disk space, eject 1 KB of data to remote storage).

Third level: transfer the rights to access/deny the data to a third party. In a form of "I must ask unaffiliated person from non-US jurisdiction to either receive secure data or get it deleted".

So: officials can't access your data or apply legal measures to you (because technically the key is outside of their or your reach); your data is secured.

Answer 8

In many places I've been in departments typically have "travel laptops". These are blank laptops with standard corporate encryption, office, a web browser (for email access) and that's it nothing else! No access to corporate networks, no access to personal disk areas nout!

These laptops were used whenever an employee left the country regardless of where they were going. The employee could simply load the laptop up with powerpoints / necessary documents go to their meeting and upon their return the laptop is re-imaged and is fresh again. I'm not sure the policy took into account forensic examination but in terms of sheer damage limitation it seems to work quite well.

Answer 9

This works as a security for all types of communication. It's also a kind of security by obscurity.

Simply insert a number of keywords into any document / communication: Terror threat. Bomb. Nuclear. Royal family.

Selection of current time important individuals by name ~ presidents, prime minsisters, etc. Do the same for events ~ Olympics, World Cup, etc.

The poor security services will be so busy trying to find the real useful information from the polluting rubbish they will never have time to do anything else.

Downside to this: Everyone needs to do it for it to be truly effective. Actual criminal activities will get lost in all the noise, which is probably not helpful.

Answer 10

You can hide the fact that you have heavily encrypted files by using the one time pad method. You can dump (encrypted) data from sensitive files in the form of fake high ISO noise in image files. To decrypt, you must have access to the original image files via e.g. Google Drive. If someone gains access to your Google Drive account they will only see image files, they won't suspect that you need to combine these files with the ones on your computer to extract the files (which then need to be decrypted using conventional means).

You an then travel while pretending to be just another tourist who is proud to show off his pictures to the border guards.