Utility of laptop border searches

| Comments (1) | Security: Airport
Jayson Ahern from TSA has posted a defense of their laptop border search policy:
First, it's important to note that for more than 200 years, the federal government has been granted the authority to prevent dangerous people and things from entering the United States. Our security measures at the border are rooted in this fundamental fact, and our ability to achieve our border mission would be hampered if we did not apply the same search authorities to electronic media that we have long-applied to physical objects--including documents, photographs, film and other graphic material. Indeed, there are numerous laws that apply to such material at the border including laws regarding intellectual property rights, technical data that can be imported or exported only under state department license and child pornography.

In the 21st century, terrorists and criminals increasingly use laptops and other electronic media to transport illicit materials that were traditionally concealed in bags, containers, notebooks and paper documents. Making full use of our search authorities with respect to items like notebooks and backpacks, while failing to do so with respect to laptops and other devices, would ensure that terrorists and criminals receive less scrutiny at our borders just as their use of technology is becoming more sophisticated.

This result would be ironic given that this same technology actually enables terrorists and criminals to move large amounts of information across the border via laptops and other electronic devices. At the end of the day, we have a responsibility to search items -- electronic or otherwise -- that are being transported across our borders and that could potentially be used to harm our nation's citizens or that are otherwise contrary to law.

It seems to me that this fails to recognize a number of important respects in which your laptop is different from physical objects like documents, photographs, etc.

First, unlike drugs or currency, you don't need to actually carry information across the border in order to bring it into the country. For starters, you just put it on some Web site (GMail, any file sharing site, etc.) and download it once you've entered the country. Standard encryption tools easily suffice to hide the data from interception by the authorities. You don't even need special software; you can use SSL to contact the site. If you're using GMail, Google will even serve you ads relevant to your interest: "Get your discount surface-to-air missiles here." Of course, if you don't want this, you can PGP encrypt your data with some static key you memorize. Even if for some reason you can't figure out how to operate GMail, you can just copy the data onto a CDROM and ship it to yourself. Even if customs can search them—and I interpret this policy as saying they can't search USMail—as a practical matter it's trivial to hide your in digital music or digital video, so even if they do search your mail it's unlikely you'll get caught.

Second, even if you have to bring the data across with you, Digital data is trivial to hide. For instance, a 2G flash memory chip is about 10x10x2 mm. I can think of lots of ways to hide a chip like that in your gear: for instance in a chip-style cash card. Even if you can't contrive to hide this somewhere in your gear, remember that customs needs a much higher level of suspicion to do a body cavity search, so you can simply swallow the chip to bring it across the border. Basically, you can't stop a dedicated attacker from smuggling even large quantities of digital data across the border.

Ahern talks about preventing "dangerous people and things from entering the United States", but this conflates two different issues. For the reasons above, it's not really possible to stop "dangerous" digital data from entering the US. Now, you might be able to stop dangerous people from entering the US if they were stupid enough to forget to erase incriminating data from their laptops and you catch them during your search, but now that it's public knowledge that CBP is searching laptops, we would expect competent terrorists or child pornographers to take note of that, so you should mostly expect to catch the incompetent, and more likely average people who are carrying contraband.

The third way in which laptops are different is that taking your laptop away is extremely invasive. Even if we ignore the arguments (which have already been aired extensively) about how much it compromises your privacy to have all the stuff on your laptop exposed, having your laptop taken away from you is incredibly inconvenient, as anyone who's ever had a hard drive crash can tell you. As I understand the policy, CBP claims that they can just take your equipment indefinitely. Without arguing about whether they're legally allowed to, it should be noted that they could just image the hard drive. This isn't quite as good since they don't get to do a complete search—you could be hiding your flash chips on the motherboard somewhere—but given the ease with which you can hide your media (see above), this seems like it's good enough to catch the stupid people.

1 Comments

I agree with all your points. It's somewhat depressing that for years now the tech crowd that reads Schneier, Slashdot, your excellent blog, etc, has simply accepted and taken it for granted that these types of policies are a waste of time and money (and have a dangerous potential for abuse), but for some reason we haven't seen those conclusions percolate up through the rest of the population and feed back into the design of screening procedures.

I think the second paragraph you quoted should raise a bit of a red flag in the mind of anyone who reads it, especially this part:

"In the 21st century, terrorists and criminals increasingly use laptops and other electronic media to transport illicit materials that were traditionally [...]"

Can the author actually back this up? I'm not in the US, so I really don't know for sure, but I was under the impression that border searches were catching essentially zero terrorists (or close enough to zero to be insignificant). So how do we know that they "increasingly use laptops and other electronic media"? If that's the justification underpinning these policies, it seems like it should be properly sourced.

I would actually guess that it's the exact opposite, that using physical media to transport dangerous data (whatever that is) across a border should be on the decline. The article makes it seem like it's a growing 21st century trend ("we must adapt to 21st century risks and anticipate rather than react to new threats"), but consider that ten or fifteen years ago, it was far harder to use secure electronic transmissions than it is today.

Fifteen years ago, there were restrictions on strong crypto that made distribution of security software complicated. Fifteen years ago, I couldn't run an ssh server in my basement (no popular secure file transfer options back then, no always-on home connections, etc), connections were less reliable and lower-throughput, so unless you were in a university, the net was really not the most convenient way to move large amounts of data. All the easy options you mention (GMail, file sharing sites, using SSL for transfers) really only came about in the last decade.

>> The third way in which laptops are different is that taking your laptop away is extremely invasive.

Yes, I've often wondered what a travel insurer's policy would be in a case like this. If I buy travel insurance (luggage, cancellation, etc.) with my bank, then travel to the USA and am unlucky enough to have a border guard take my laptop, it seems I have two choices:

Option 1) Refuse to hand over the laptop and get denied entry to the country. Go back home. In this scenario, would typical traveler's insurance compensate me for the wasted plane tickets, conference fees for the conference I was attending, etc?

Option 2) Hand over the laptop, which they decide to keep for months and possibly break. Would the typical insurance policy cover this as a claim for theft?


Leave a comment