The issue of searches or seizures of electronic gear at international borders is not new, nor is it a kneejerk reaction to the Edward Snowden revelations regarding NSA surveillance programs. But if the seizure of the laptop of the partner of Guardian journalist Glenn Greenwald and other incidents disclosed in 2013 aren’t worrisome enough, the recent dismissal of Pascal Abidor’s 2009 lawsuit by a US federal judge is a stern warning that traveling today carries a greater data security risk than ever before.
Pascal Abidor, you may recall, is a graduate student in Islamic studies who sued the government after American border agents removed him from an Amtrak train crossing from Canada to New York. He was handcuffed, placed in a cell, and questioned for several hours. Then his laptop was seized and kept for 11 days.
Incidents like these in the US, Canada, and the UK are well known. The British Columbia Canadian Civil Liberties Association notes that, "in Canada under the Customs Act, a Border Services officer does not need to have individualized suspicion to search your luggage or other possessions." Add warnings that devices connected to networks in China may be easy prey for cyberattacks, and it should be abundantly clear that search, seizure, or compromise of electronic devices are transnational concerns. It should also be clear that while encryption is one obvious defensive measure, it will, in some cases, merely be an impediment to search but not an "absolute protection."
Time to rethink mobile data policies.
If you are concerned about the disclosure of personal or organizational sensitive data, take stock now. Begin by asking these four questions:
- What data do I really need to carry with me?
Security-minded organizations traditionally apply the principle of least privilege. It's time to consider a principle of least mobile data. Given the frequency of laptop theft resulting in the loss of thousands of social security numbers, user accounts and credentials, medical records, or intellectual property, it’s clear that as a rule, we travel with too much.
- What are the consequences of carrying these data and having them disclosed or copied -- for me, my family, friends, my organization?
Apply basic risk analysis. Disclosure of many kinds of personal or organizational data -- whether by loss or seizure -- has severe personal, business, or reputational consequences.
- What alternatives do I have to access the data when I travel, and will these alternatives be available (or legal) from my international destination?
Consider whether secure remote access (VPN) or secure, cloud-hosted content or applications will satisfy access requirements and reduce risk. Consider as well where you host data. In the face of eroding confidence following surveillance revelations, many organizations today assume a zero-trust posture and consider privacy rights and surveillance laws equally as important a security factor as access to an "operationally secure" cloud.
- What measures should I take upon my return from an international destination to ensure that my electronic devices pose no risk to my organization?
The Canadian Bar Association suggests 10 steps to ensure that road warriors travel with a "forensically clean" laptop. Infosec professionals should read these recommendations with a critical eye; while the guidance CBA provides is spot on, maintaining forensic hygiene is a big, fat chore.
Searches, seizures, or compromises are disconcerting subjects. Stay focused on the notion of "zero trust," don't get distracted by country-specific issues or policies, and you'll likely succeed in finding a healthy balance of data security, trust, and mobility.
Dave Piscitello has been involved with Internet technologies and security for over 35 years.
IT is turbocharging BYOD, but mobile security practices lag behind the growing risk. Also in the Mobile Security issue of InformationWeek: These seven factors are shaping the future of identity as we transition to a digital world. (Free registration required.)