A US Ninth Circuit court ruling this week has asserted that computers are like luggage and are therefore subject to searches at borders and airports. This is a scary revelation for anyone in the computer industry who is practically inseparable from their laptop.
Unlike luggage, a laptop is a vessel for storing sensitive corporate data, personal financial information, and in many cases, just about everything a person has ever done (I, for example, have email archives dating back to 1996).
This is yet another reason to start protecting your data using applications like PGP Whole Disk Encryption (for whom I used to work), or Open Source alternatives like TrueCrypt. However, given that a state court has already ruled that the TSA can’t force you to divulge your passphrase, I have to wonder how long it is before the TSA lobbies for a software equivalent to the ominous TSA travel locks?
Another option is to store sensitive data somewhere in the “cloud” and not on the laptop. We’ve been advised to keep all sensitive data on the corporate network, and to remote in to access it. For home users, one of the many internet storage solutions (depending on how much you trust them) or somethig like a Windows Home Server could be a solution.
totally creepy. too bad most of the tech world is too selfish to care about public policy.
I don’t think encryption is a solution, if they search your laptop and they find encrypted disk or encrypted data then you are in trouble, if you don’t release your password they can take your laptop for indefinite amount of time…!
Truecrypt is a good solution since use the hidden volume technique.
I believe the best solution is to encrypt your files and store it online.
Then just go around with your laptop without any sensitive data on it.
There’s another interesting dimension to this that occurred to me while discussing this with Ashley: what’s the liability for the user or the company for information exposed due to a TSA search?
For example: I have a lot of data on my laptop from my various employers, with whom I have signed non-disclosure agreements. These agreements are legal contracts that obligate me to not disclose proprietary information owned by the company. Now, let’s say the TSA is searching my laptop and decides to access this sensitive data – at this point, I have now violated my non-disclosure agreement. But I didn’t have any choice. Am I liable?
Another example: Many of the US states now have data breach laws modeled on California’s SB-1386. These laws require companies to not disclose customer’s non-public personal information. Disclosure of this information requires the company to notify the customer, a process which is usually complicated by the fact that the precise customer who has had their information disclosed is not known (think of a laptop with hundreds of customer records on it). The result is an expensive legal and PR debacle for the company. Now, again, the TSA decides to look at some of the customer files on my machine as part of their search. Am I, or my company, liable for this “breach”?
The larger issue here is that this is the beginning of a dangerous precedent. The next logical step is for the TSA to note “Oh, we can’t possible search an entire machine in the time we have at the border. We need to be able to take a complete copy of your drive - that way, we can search it later.”
Giorgio and Matt have the right idea - storing the data in the cloud. However, that’s problematic for most travelers. Think about sales guys who need access to their data on the road. Sure, there are ways around this (wireless/cellular modem cards), but it’s yet one more complication that business would rather avoid.
Looks like the EFF is stepping up the pressure to have hearings on laptop search procedures. In the meantime, they’ve issued recommendations on how to keep your laptop from being searched.