Can you keep your personal data and accounts safe when every country starts to want it?
When I flew back to Canada from San Francisco last October, the well-suited traveler next to me disabled Touch ID on his iPhone before crossing the border, then enabled it again once he'd cleared security and customs. The sight of him re-registering fingerprints after exiting the terminal stuck with me. This was Canada, after all, not the Galactic Empire! Then I realized it wasn't the country that mattered to him, it was the security.
Jonathan Zdziarski, writing for his blog:
Once policies that require surrendering passwords (I'll call them password policies from now on) are adopted, the obvious intelligence benefit will no doubt inspire other countries to establish reciprocity in order to leverage receiving better intelligence about their own citizens traveling abroad. It's likely that the US will inspire many countries, including many oppressive nations, to institute password policies at the border. This ultimately can be used to bypass search and seizure laws by opening up your data to forensic collection. In other words, you don't need Microsoft to service a warrant, nor will the soil your data sits on matters, because it will be a border agent logging into your account.
In other words, if any country starts mandating digital unlock on border crossing, every country could follow, and there are many countries we probably don't want having access to our devices and accounts — because they'll own those devices and accounts ever-after.
For years we've heard stories of people leaving their phones behind when traveling to regions renowned for hacking or, if a device ever left their site at a border checkpoint, abandoning it there and never picking it up again.
Those were once rare occurrences in particularly dangerous places. As data becomes more important to more countries, however, it might be something many of us start encountering during the normal course of travel.
The key to mastering the art of protecting your data at a border is to forward plan for the survival of your data outside of the constraints of the border crossing, while positioning yourself as if you were the adversary during this encounter. There are a number of different ways to do this which can range from social engineering to compartmentalization of data. How you choose to do it depends on your data needs while abroad.
Zdziarski also reference a previous article he wrote on preventing pair locking:
I've written about Pair Locking extensively in the past. It's an MDM feature that Apple provides allowing you to provision a device in such a way that it cannot be synced with iTunes. It's intended for large business enterprises, but because forensics software uses the same interfaces that iTunes does, this also effectively breaks every mainstream forensics acquisition tool on the market as well. While a border agent may gain access to your handset's GUI, this will prevent them from dumping all of the data – including deleted content – from it.
If you're traveling to a part of the world where you're concerned about the safety of your data, give the whole article a read.
Keep yourself secure on the web
- How to use two-factor authentication
- How to protect your data from being hacked
- Best practices for staying safe on social media
- Best VPNs for public Wi-Fi networks
- Best ways to secure data when crossing borders
- Best ways to increase iPhone and iPad security
- How to back up your iPhone, iPad, and Mac
- Differential privacy — Everything you need to know!
Reader comments
Keeping your data safe when crossing borders
Here's another alternative for iDevices: wipe them clean and restore them from iCloud later. Not ideal, but if the device is blank, there is no password or data to loose.
Each iDevice can be used to make 3 accounts, so make a "plausible deniability" account if they insist on having your iCloud/iTunes account info. Be careful not to have your real Apple ID on a business card.
Another alternative is to lock the device with Find My iPhone, but that could raise suspicion of theft. Plus, your data would still be on it. Not ideal at all.
The real trick is your email account. You're on your own for that one. Two Factor Authentication can help here though. Be sure to use Authy, Google Authenticator, Lastpass Authenticator, etc. Then a password is not enough.
The article mentions turning off Touch ID and then subsequently re-registering fingerprints. Surely it is only necessary to power down the phone before crossing the border. After powering it on again a password is essential to turn it back on Touch ID will not do it. Once you have entered a password (presumably not under duress from officials) then Touch ID starts working again.
You are right: that person could have just turned off their phone. But…
They may demand your password eventually, in which case turning off your phone may not be enough.
https://www.engadget.com/2017/02/08/dhs-could-demand-social-media-passwo...
That is Rene's point.
If you have an electronic boarding pass I'm not sure it'll show after power down before re-authorizing with passcode (you boot back into PreBoard, a separate state). Wiping prints let him still use electronic boarding pass but didn't let fingerprints unlock SpringBoard.
Well why talking about other countries when you have Trump in the US that wants everyone who wants to apply for a visa to give their social media passwords? There is a chance that the US turn into an oppressive regime! The US are not the democracy that it wanted to be anymore.... and it's a shame, as it is a form of victory for terrorist when their targets forgot their core values... and the politicians doesn't even serm to care!
Pop the bubble bro. Once again, Obama starts something that Trump gets blamed for. Check your facts, or alternative facts. Obama wanted it but DHS rejected the idea. If Trump has the same idea, maybe DHS will response the same way. Also, the US isn't a democracy, we're a republic, take a civics class. Back to the hatemongering…
http://www.msnbc.com/msnbc/exclusive-homeland-security-rejected-plan-vet...
My, that horse of yours is awfully high. If you're interested in learning how the U.S. is both a democracy and a republic, follow this link: https://www.washingtonpost.com/news/volokh-conspiracy/wp/2016/11/14/the-...
Sadly, the MDM function referred to can be removed as long as you have the device password. Yes, it removes the remotely provisioned PIM accounts and apps, but that's not too hard to recover.
Are you sure about that? Did you read the full blog post? He mentions how you can set the Managed Device profile so that it can never be removed (short of a full erase of the device). I've actually tested it and the profile, which disallows another computer to control the device, cannot be deleted.
In a world of ubiquitous connectivity, VPNs. and cheap hardware, consider leaving all data behind and accessing it from afar. Those with security clearances are advised to assume that hardware taken to China, Russia, India, or Iran is compromised and may be left behind when returning.
Sent from the iMore App