21

When I successfully (legally) immigrate into the USA, I had to move some of my computers which contain a client's sensitive data/project.

I was surprised when I found an article that says the CBP have the right to scan a computer (and can force me to enter the truecrypt password!)

I am unable to wipe any data, but leaking extremely sensitive data is a big problem for me (What should I say to the client, "the government wants your project"?)

I swear that I am not a terrorist of course, but I want to know what other businessmen do in this kind of situation.

Improve this question
6
  • 10
    btw. wouldn't this question be better fit for security.SE?
    – vartec
    Commented Dec 11, 2013 at 13:17
  • 1
    @vartec +1, not sure if it's a better fit here or there but some aspects of the question (e.g. the technical details of how you should put your data in the cloud or retrieve them) would clearly be more relevant on the other site.
    – Relaxed
    Commented Dec 11, 2013 at 13:26
  • 4
    Do you know about hidden volumes? In a nutshell, you can hide the data on the drive and have it look like there's no data there at all. Usefull links: truecrypt.org/docs/plausible-deniability truecrypt.org/hiddenvolume truecrypt.org/docs/hidden-operating-system
    – ike
    Commented Dec 11, 2013 at 15:02
  • I hope it is understood that import and export laws apply, and it may be completely illegal to import/export data from one country to another (especially where encryption) for profit. (obviously depending on the data and the countries). This would apply to downloading info from the cloud as well as manually carrying the information with you.
    – Xantix
    Commented Dec 12, 2013 at 5:23
  • 3
    You should have a read of this question on Security: security.stackexchange.com/q/11612/485
    – Rory Alsop
    Commented Dec 12, 2013 at 10:17

6 Answers 6

Reset to default
14

Disclaimer: IANAL

Allegedly if CBP officers find something clearly marked as "business confidential", they may not proceed without authorization of higher-ups.

Guidelines have been described in document DoHS's document "Privacy Impact Assessment: CBP and ICE Border Searches of Electronic Devices". Seems that according to this if CBP officers would disclose any of your trade secrets, they'd still be legally liable.

However, if you don't want to take chances with that, the recommended course of action is (for example for foreign lawyers):

  • use high grade encryption and upload encrypted files to a cloud
  • store (pass-phrase protected) encryption keys on small device (eg. microSD card)
  • sanitize your computer deleting sensitive data and encryption keys
  • download and decrypt your data as needed

Note, that this is going bit on paranoid side of things.

Improve this answer
3
  • On the receiving end, internal CBP procedure hardly makes any difference at all. The agency and beyond the agency the US government as a whole can still search computers, require passwords or decryption without any specific justification or due process.
    – Relaxed
    Commented Dec 11, 2013 at 13:22
  • @Annoyed: true, but just because they can doesn't mean that it's something average Joe will experience.
    – vartec
    Commented Dec 11, 2013 at 13:34
  • Sure (I wrote as much in my answer, incidentally) but that was the case anyway and it's totally unrelated to this detail of the procedure.
    – Relaxed
    Commented Dec 11, 2013 at 13:57
10

A random search of your computers seems very unlikely but what I read also suggests that you have basically no legal recourse against it should it happen. The only workable solution I am aware of is to upload the data somewhere and then download it once you are in the US.

Of course, this creates all sorts of new security issues (how to secure the transfer and server against whatever risks you are concerned about, etc.) but it would prevent border guards from accessing your data without doing anything illegal. I have no idea if many (business)people actually go to the trouble of doing it.

Improve this answer
1
  • 3
    For travel outside the US my employer issues loaner laptops that don't have any data on them beyond the bare minimum needed for the trip that can't be VPNed on arrival; but AIUI they're more concerned about theft/loss than being snooped on at the border crossing itself.
    – Dan Is Fiddling By Firelight
    Commented Dec 11, 2013 at 14:36
5

One possibility is to do a full drive encryption with some software like TrueCrypt. You can then store the key on a USB drive and have someone you trust send it to you once you make it across the border.

This way you are physically not able to decrypt the computer if asked/forced to. Make sure the thumb drive only gets sent to you once you're safely across the border. The only problems in this would be if the government made a copy of the encrypted data and then intercepted the drive in the mail.

Another alternative is to have a friend encrypt the key and upload it to the cloud. They could then tell you the password once you're safely in the US.

Improve this answer
2
  • With TrueCrypt you can also encrypt a "file", which is really just a container that stores whatever files you want to encrypt. From there you can also have two different passwords. One that reveals one set of data, another that yields a separate set. So if forced to provide a password you can provide the lesser of the two: plausible deniability. TrueCrypt is great for the international traveler with sensitive data.
    – Eric
    Commented Dec 11, 2013 at 21:01
  • 4
    If it really comes to it, not being able to decrypt content might just result in even more trouble, possibly confiscation of the material or detention. Computer-minded people love elaborate technical counter-measures but it really does not matter how they work, it does nothing to get you out of the predicament created by the fact that you have no right not to share your data and no recourse against border guards' demands.
    – Relaxed
    Commented Dec 11, 2013 at 21:35
3

Although I wonder what could be so demanding to import an entire PC (a desktop) - I think there literally are no options if the CBP is bent on checking whatever you are bringing in to USA. Including the nuts and bolts that hold your PC.

I have shipped external hard drive(s) (VM images) in the past and FedEx/UPS had no problem delivering to and from third world countries. I have moved in and around the world freely with a couple of laptops in my backpack with no problems and no inspection at all (other than running them through the airport security scanners).

I feel at the maximum the CBP fellas will wanna inspect whats in the CPU tower versus what is in the hard disk. If the information isn't a terabyte you could also temporarily move the information to a pen drive. I have never heard someone's laptop of pen drive being perused for data.

Improve this answer
3

From our related question on Security Stack Exchange:

tylerl's top answer mentions EFF recommendations:

  • Carry as little data as possible over the border.
  • Keep a backup of your data elsewhere.
  • Encrypt the data on your device.
  • Store the information you need somewhere else, then download it when you reach your destination.
  • Protect the data on your devices with passwords.

...US Customs policy giving themselves permission and responsibility to examine all incoming devices (and data on these devices), including computers, cell phones, etc.

...a number of cases of Customs officials placing monitoring/tracking software on transiting computers

...Finally, don't forget the value of Truecrypt hidden volumes. The plausible-deniability is helpful when dealing with governments.

And I would suggest that these are not activities limited to paranoiacs, but should be followed by any business-person travelling to the US. I don't take any devices with business data on if I can help it, and where possible I also avoid taking personal data.

Improve this answer
0

You might be interested in reading this article. http://www.cba.org/CBa/PracticeLink/tayp/laptopborder.aspx

"Once at their destinations, employees work with data stored on company servers via secure virtual private network (VPN). (Secure connections are a must since, under certain circumstances, U.S. law permits interception of e-mail and remote server connections.) Employees may download files to their computers, upload the results of their work to company servers and “forensically clean” their computers before traveling again."

Improve this answer
1
  • Considering the recent events regarding operations of NSA and other US agencies the statement "U.S. law permits interception of e-mail and remote server connections" is at least debatable.
    – Simon
    Commented Dec 12, 2013 at 8:39

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .