Vulnerabilities / Threats
04:43 PM
Connect Directly

DHS Report Says Leave Laptops At Home

The federal agency said anyone who brings their computer or cell phone out of the country is risking privacy and data security violations.

The U.S. Department of Homeland Security appears to be of two minds about the security of information on portable devices.

On the one hand, it defends border searches of laptops as necessary to limit the movements of terrorists, to deter child pornography, and to enforce U.S. laws.

"One of our most important enforcement tools in this regard is our ability to search information contained in electronic devices, including laptops and other digital devices, for violations of U.S. law, including potential threats," said Jayson Ahern, deputy commissioner, U.S. Customs and Border Protection, in an online post in June.

On the other hand, it has warned business and government travelers not to carry laptops or other electronic devices when traveling abroad, as a way to prevent "unauthorized access and theft of data by criminal and foreign government elements."

In a document titled "Foreign Travel Threat Assessment: Electronic Communications Vulnerabilities," published June 10 by the DHS's critical infrastructure threat analysis division and recently posted to Wikileaks, DHS urges business leaders and U.S. officials to "leave [electronic devices] at home" when traveling.

"Foreign governments routinely target the computers and other electronic devices and media carried by U.S. corporate and government personnel traveling abroad to gather economic, military, and political information," the document warns. "Theft of sensitive information can occur in a foreign country at any point between a traveler's arrival and departure and can continue after returning home without the victim being aware."

Recognizing that for some it may be impossible to travel without a laptop and phone, DHS recommends buying a single-use cell phone locally, carrying a designated "travel" laptop with a minimum of information on it, and using temporary Internet e-mail accounts that are not associated with a corporate or government entity.

"Even with these strategies, however, travelers should assume that all communications are monitored," the DHS Threat Assessment says.

Such warnings recall a U.S. State Department's Bureau of Consular Affairs advisory to U.S. travelers headed to China for the 2008 Olympic Games. "All visitors should be aware that they have no reasonable expectation of privacy in public or private locations," the bureau warned. "All hotel rooms and offices are considered to be subject to on-site or remote technical monitoring at all times. Hotel rooms, residences, and offices may be accessed at any time without the occupant's consent or knowledge."

In other words, expect no privacy or data security anywhere.

Peter P. Swire, a law professor at Ohio State University's Moritz College of Law and a senior fellow at the Center for American Progress, says travelers ought to take such warnings seriously and practice good computer hygiene. "Don't expose your laptop to viruses and Internet cafes," he said. "Don't put your memory stick into any receptacle where it doesn't belong."

The federal courts have held that border searches of laptops and other electronics represent a permissible exception to the Fourth Amendment. But case law on the issue supports a distinction between two types of searches -- routine and nonroutine.

Nonroutine searches, such as a strip search, are distinguished by their invasiveness and require a "reasonable suspicion" that the person searched is involved in an illegal activity.

It's not clear from a legal perspective whether laptop searches are routine or nonroutine, and it probably won't be until the Supreme Court rules on the issue or Congress passes a law requiring reasonable suspicion for searches of electronic devices, which could happen next year.

Ahern, from the CPB, meanwhile, insists that border searches are routine and no different from searches of a suitcase or vehicle, a position that the Association of Corporate Travel Executives and the Electronic Frontier Foundation are fighting to change.

One consequence of the U.S. government's position is that it emboldens other governments to claim similarly unconstrained information access rights, at the border and beyond.

Swire said he supports laptop searches when there's reasonable suspicion of wrongdoing. "If that became the global standard, the problem overseas would be much less," he said. "If the U.S. had a better policy, we would be in a better position to object to these intrusive practices."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.