Keeping your data safe when crossing borders

When I flew back to Canada from San Francisco last October, the well-suited traveler next to me disabled Touch ID on his iPhone before crossing the border, then enabled it again once he'd cleared security and customs. The sight of him re-registering fingerprints after exiting the terminal stuck with me. This was Canada, after all, not the Galactic Empire! Then I realized it wasn't the country that mattered to him, it was the security.

Jonathan Zdziarski, writing for his blog:

Once policies that require surrendering passwords (I'll call them password policies from now on) are adopted, the obvious intelligence benefit will no doubt inspire other countries to establish reciprocity in order to leverage receiving better intelligence about their own citizens traveling abroad. It's likely that the US will inspire many countries, including many oppressive nations, to institute password policies at the border. This ultimately can be used to bypass search and seizure laws by opening up your data to forensic collection. In other words, you don't need Microsoft to service a warrant, nor will the soil your data sits on matters, because it will be a border agent logging into your account.

In other words, if any country starts mandating digital unlock on border crossing, every country could follow, and there are many countries we probably don't want having access to our devices and accounts — because they'll own those devices and accounts ever-after.

For years we've heard stories of people leaving their phones behind when traveling to regions renowned for hacking or, if a device ever left their site at a border checkpoint, abandoning it there and never picking it up again.

Those were once rare occurrences in particularly dangerous places. As data becomes more important to more countries, however, it might be something many of us start encountering during the normal course of travel.

The key to mastering the art of protecting your data at a border is to forward plan for the survival of your data outside of the constraints of the border crossing, while positioning yourself as if you were the adversary during this encounter. There are a number of different ways to do this which can range from social engineering to compartmentalization of data. How you choose to do it depends on your data needs while abroad.

Zdziarski also reference a previous article he wrote on preventing pair locking:

I've written about Pair Locking extensively in the past. It's an MDM feature that Apple provides allowing you to provision a device in such a way that it cannot be synced with iTunes. It's intended for large business enterprises, but because forensics software uses the same interfaces that iTunes does, this also effectively breaks every mainstream forensics acquisition tool on the market as well. While a border agent may gain access to your handset's GUI, this will prevent them from dumping all of the data – including deleted content – from it.

If you're traveling to a part of the world where you're concerned about the safety of your data, give the whole article a read.