Border Mitigations

In a previous post here, I wrote about some of the potential dangers involved in traveling in todays world, from an information security standpoint. Most of that danger has to do with crossing borders, but some also show up during regular security controls before boarding a plane.

In this post I want to talk about some of the possible mitigations, what threats they can mitigate but also the negative side effects of them. This is clearly not going to be a complete list, and the list itself is also not in any particular order. None of these are complete mitigations, and for certain threats there are no mitigations. Depending on your threat model you can take these different pieces and mix and match them until you get something that suits you.

I probably don't need to say this, but I will anyway: I am not a lawyer and you shouldn't take legal advice from me.

Bare computer

If it is possible for you to travel with a completely new computer or a computer that has been strongly wiped from all content, that might be a good idea. Many people that recommend this approach also recommend that once you arrive at your destination, you connect to your work VPN and download all the things you need from there. In general, this can be quite useful, but there are a few problems. First, you generally have to bring your VPN configuration with you in one way or another. It might be that you can have this information in your head, so that might work. I don't know of any case where a border agent has asked about this information, but it is not impossible - especially since passwords have definitely been asked for.

The other problem with this approach is simply one of productivity. Unless you need very little data to do your job, it might be very inefficient to always have to download all your things before starting work. If you jump around a lot between countries, this can be a pretty significant productivity drain.

Only use SaaS

Related to the above advice, you can also make sure to never need any local data at all. If you're using something like Google Docs or Etherpads for your work, and all your email in a web based email provider, then you will never have any local data that can be compromised. However, in my mind this cure might be worse than the disease, since we know that a lot of information in certain jurisdictions is already in the hands of the governments of those areas. If you have sensitive information that you want to protect, putting it all in the cloud might not be the best solution.

Sadly this also falls down if you're asked for passwords and information. For example, if you're asked for your Google password, the agents will have potential access to all your work in one handy bundle.

Separate accounts

This advice is only useful for the current situation when a security agent will ask you to start your computer and login, to show that your computer is actually a working computer. Basically you just create another, empty login account that is completely empty and has no privileges on your computer. However, even this approach is a bit dangerous, since if you are using Harddrive Encryption (you are, right?) - you will still have to enter this password during the boot process. I wouldn't feel comfortable having to do that in front of any kind of border agent.

The bigger problem is that this approach doesn't work during secondary screening or any of the other more dangerous situations - you can try to fool them using this approach, but that is exceedingly risky and in some cases can land you in legal trouble.

Turn off computer completely

If there is the slightest risk that your computer will be separated from you at any point, it is a very good idea to turn it off completely, a while before landing. The minimum amount of time before should be 15 minutes. The reason for this is that if you are using harddrive encryption, there are attacks (so called cold boot attacks) that can be very successful in recovering your data unless the computer has been completely off for some time.

This is a good precaution in general, but won't save you if they force you to enter your password of course.

Back up data

At some borders you can refuse giving up your password. In general the result will be that your devices will be seized completely. So if this can happen to you, it is more important than ever to make sure you actually have backups of all your data. This one really shouldn't be very controversial - everyone needs to have backups of their data. The trickier part is how to do backups in a safe way. It is all to easy to put all your secrets in a very easily cracked backup system. But that's a story for another blog post.

Prepare lawyers

If you have any reason to suspect you might be having trouble, or you have the kind of data that would cause trouble even if you are randomly selected, it is extremely important to prepare a lawyer in the legislation you are flying to. It is not enough to have your lawyer at home - they most likely will not know what rules are in effect at the border to the other country, and if you're flying far they might not be reachable at all. So, make sure you have a lawyer prepared, write down their phone numbers and information on a piece of paper and make sure that the first thing you do if you're detained is to mention you want a lawyer and here is their information.

In general, be prepared is the motto here.

Run your OS from an SD card

Some people recommend not having a harddrive in your computer at all, and run the operating system from an SD card instead. The theory is that these are small and easy to hide if you get in trouble. Of course, that might mean you have a computer you can't start up - and if it's obvious that you've been hiding or destroying the SD card you will get in trouble for obstruction.

Avoid certain countries

There are some jurisdictions that are simply too risky to go too for some people. A very good mitigation is to keep a list of the countries you can't go to, and simply avoid them. Of course this can cause a lot of trouble trying to get work done - but it might be better than the alternative.

Hidden volumes

Some tools, such as TrueCrypt, support a system called hidden volumes. The idea is that you can have more than one encrypted harddrive in the same place - and there is no way for an outsider to know whether you have one disk volume or several. You just use a different password to open up each one, and there exist no good way to see if there are any other volumes in the same place.

This approach can be extremely useful, but it can also be very harmful. The good side is that you can hide your important information in a hidden volume, and when you are forced to open up your harddrive for inspection, you just open up an innocent volume instead, not giving any indication that there is more data on the disk. If the person investigating you don't know the software you're using and have no reason to suspect foul play, this approach can work. However, the dark side of this is that if the person investigating you knows about hidden volumes, you have no way of proving to them that you have given up all your passwords. That means that they have no incentive to stop interrogating you - and if depending on the country you're in, this might lead to torture that you have no way of stopping.

Of course, the other side of this is that for a group keeping secrets, it is good for the group if their members use software with hidden volumes. Since the individual member knows they have no way of proving that they have given up all the information, the rational way to behave is to not give up any information. Of course, this is terrible for the member, but good for the group.

Hidden volumes are a powerful tool, but you shouldn't use them unless you know the potential consequences.

Don't know your passphrase

One way of avoiding giving away your pass phrase is to not actually have it. There are a few ways of doing it - one way would be to just give your full pass phrase to a person you trust and call that person once you've crossed the border. You should probably use a temporary pass phrase that you immediately change once you've gotten access to it. You can also use it to encrypt a password manager file that contains all your real passwords and passphrases. It is not clear whether this approach is actually legal - you might be the person that has to test that.

Another variation on this approach is to give the passphrase to your lawyer. Another alternative is to split the passphrase into pieces that different people have. You can also use something like Samir's Secret Sharing so that you can spread the passphrase among more people, and you can still recover it even if you don't get hold of all those people.

The biggest problem here is that you actually have to be able to get hold of the people every time you pass the border.

Make the tradeoff decisions before traveling

When traveling with sensitive information, it is important that you have thought about tradeoffs BEFORE starting the journey. You need to figure out whether the information you have is important enough for you to go to prison for contempt, risking a lie or any of the mitigations in this list. You will have to make this decision before going, and commit yourself to that decision - because once you are in secondary screening you will not be in the mind space to think rationally about these issues. You will be tired, potentially dehydrated or in need of a rest room. You will be confused and potentially afraid. And the agents will not make it easier for you. So, decide before going how much your information and secrets are worth to you.

Publish temporary PGP keys

If you put a lot of stock in your PGP keys, you might consider leaving it at home when traveling. Of course, that means it will be hard for people to send you encrypted information if you don't bring your key. So one thing you can do is to create a new temporary PGP key with a very short expiry, sign that key with your long term PGP key and then publish this information in a well known place - which you can point people to if you receive encrypted email to your long term key.

Bring a basic feature phone

If you can avoid having a fancy smart phone with you, it might be useful to just leave your Android or iPhone at home, and instead bring the simplest feature phone you can find. You can still be reached on your number, but the worst thing that can happen to it is that you lose your SIM card. This is a good mitigation if you are willing to leave the convenience of global data behind.

Conclusions

As you can see, there are no good ways of mitigating all risks you can face at a border. The best way is to not have any interesting information with you at all - but that means both leaving it away from your person, and not being able to use the information while traveling. Every person facing this problem will have to go through their assets and figure out which of the above mitigations will work for their needs.