Useful Links
SMBlog
RSS feed RSS icon
About this blog
About me
Archives of Dave Farber's IP list
Archives of RISKS Digest
The Legal Information Institute at Cornell University
Thinking Security
Firewalls and Internet Security: Repelling the Wily Hacker
The Electronic Frontier Foundation
The Tor Project
The Center for Democracy and Technology
Freedom to Tinker blog
Bruce Schneier's blog
Matt Blaze's blog
Matthew Green's A Few Thoughts on Cryptographic Engineering
Krebs on Security
July 2008
FISA and Border Searches of Laptops (10 July 2008)
Cybersecurity Advice for (Possible) President Obama (24 July 2008)
Control as a Motive for Content Owners (29 July 2008)
Recent Posts
Brief Notes on Computer Word and Byte Sizes (7 March 2023
In Memoriam: Frederick P. Brooks, Jr. --- Personal Recollections (18 November 2022
Attacker Target Selection (5 July 2021
Where Did "Data Shadow" Come From? (26 June 2021
Vaccine Scheduling, APIs, and (Maybe) Vaccination Passports (2 April 2021
Security Priorities (25 February 2021
Covid-19 Vaccinations, Certificates, and Privacy (13 August 2020
Hot Take on the Twitter Hack (15 July 2020
Trust Binding (11 June 2020
Facebook, Abuse, and Metadata (24 May 2020
Archive
2007 (43)
2008 (39)
2009 (21)
2010 (15)
2011 (16)
2012 (14)
2013 (6)
2014 (16)
2015 (14)
2016 (6)
2017 (17)
2018 (16)
2019 (17)
2020 (15)
2021 (4)
2022 (1)
2023 (1)
 
Full Index
Tag Index

FISA and Border Searches of Laptops

10 July 2008

There’s been a lot of attention paid recently to the issue of laptop searches at borders, including a congressional hearing and a New York Times editorial. I’ve seen articles with advice on how to protect your data under such circumstances; generally speaking, the advice boils down to "delete what you can, encrypt the rest, hope that Customs officials don’t compel production of your key, and securely clean up the deleted files". If you need sensitive information while you’re traveling, the usual suggestion is to download it over a secure connection, per the EFF:

Another option is to bring a clean laptop and get the information you need over the internet once you arrive at your destination, send your work product back, and then delete the data before returning to the United States. Historically, the Foreign Intelligence Surveillance Act (FISA) generally prohibited warrantless interception of this information exchange. However, the Protect America Act amended FISA so that surveillance of people reasonably believed to be located outside the United States no longer requires a warrant. Your email or telnet session can now be intercepted without a warrant. If all you are concerned about is keeping border agents from rummaging through your revealing vacation photos, you may not care. If you are dealing with trade secrets or confidential client data, an encrypted VPN is a better solution.
But is it?

When a laptop is searched, the customs agents are not looking for drugs embedded in the batteries or for whether or not the connectors have too much gold on the contacts. Rather, they’re looking for information.

In that sense, it would seem to make little difference if the information is "imported" into the US via a physical laptop or via a VPN, or for that matter by a web connection. The right to search a laptop for information, then, is equivalent to the right to tap any and all international connections, without a warrant or probable cause. (More precisely, one always has a constitutional protection against "unreasonable" search and seizure; the issue is what the definition of "unreasonable" is.)

According to an analysis of the revisions to FISA, "the bill affirmatively permits electronic surveillance without any warrant for Americans’ international communications when the NSA is "targeting" a foreigner or group abroad." By contrast, a border search targets a particular individual entering the country, rather than some foreign group. But if warrantless searches for information are legal, does this provide a non-statutory extension to FISA, a way to justify warrantless wiretapping beyond what FISA already permits?

It gets worse. In general, one has no right to hide contraband from customs agents when crossing the border. Is hiding imported information — that is to say, using an encrypted international connection — improper? Put another way, is using encryption on an international connection the equivalent of hiding physical objects in a false-bottomed suitcase? If so, it is saying that the government must have access to all keys, a notion that was quite thoroughly discredited (and rejected by the American public) during the debate over the Clipper chip in the 1990s.

What about a court order compelling disclosure of a key or passphrase? The legal situation is quite unclear. In in re Boucher, a judge ruled that the Fifth Amendment protection against self-incrimination could be used to deflect a request for a passphrase. While the judge’s reasoning is suspect based on the facts of this particular case, his reasoning struck me as sound. Also note that Boucher was a criminal case; the situation in a civil case is more less clear, since the protection against self-incrimination would not apply.

There’s one more philosophical point to consider. Restricting the public’s access to "foreign" information is antithetical to the basic principles of the First Amendment, and of Freedom of Thought. Trying to restrict access to information in this way is the moral equivalent of the practice of denying visitor visas to Communists (imagined or real) during the 1950s.

Perhaps I’m carrying my arguments too far. Perhaps the slope isn’t as slippery as I’ve portrayed it, though Kerr seems to agree that the Constitution would permit warrantless searches of international connections. At the least, we need a clear statement of what the rules are for government access to imported information, whether carried in physically or electronically.

https://www.cs.columbia.edu/~smb/blog/2008-07/2008-07-10.html