Hm. Lots of information is cached, like facebook messages. And Whatsapp is located on the phone itself. Honestly, it's still pretty bad no matter how you look at it.
Except now you've transferred your data over an international border and into a third parties infrastructure. If you're paranoid, that isn't more reassuring either. I suppose if you encrypt the files yourself before uploading, then your data are a bit safer.
The cloud ? Do you mean a third party owned server, probably one that is hosted on US soil and subject to patriot act, one over which you have no rights ?
That's not how you protect sensitive data.
Try crossing the border with a reset device and see by yourself if this makes you suspicious enough to get yourself in trouble (hint: it is)
Nefarious types can leave their phone at home or ditch it before crossing a border. And just buy a new phone after crossing a border to connect to their existing phone plan account. It's easy for these persons to bypass security checkpoints and still connect with their regular contacts abroad. Ultimately it's just another useless "security" measure.
Android/Google does this extremely well. I've recently had to do a few factory resets trying to fix a hardware issue on my phone.
Just turn on Google's backup service for apps and settings, let it finish syncing, and then factory reset. When you login to the fresh phone, it offers you that backup in the startup wizard. If you're on a good connection, restoring the backup is surprisingly fast.
Although, I think that you can potentially lose a bunch of stuff, depending on how you use your phone. Like any app sideloaded or installed through another app store, the extra data chunks that lots of games download, data created by apps (subject to developer settings), loose files being stored on the phone, etc.
I know that when I switched phones last year, there were a lot of manual steps moving between devices (the HTC transfer mechanism worked for most of that, but I still ended up moving some files manually).
Yeah, you'll have to do that, or else go through the recovery process after the fact. My phone recently failed and I got a replacement, and I had to go through the 2FA recovery process for all my accounts after getting the new phone. LastPass was particularly annoying because their "lost my 2FA device" feature was broken when I tried to do it...
iCloud backup from the phone works well. Then factory reset. You can do this by yourself from iTunes from your computer if you don't want to pay for the iCloud storage fees.
I don't know how to do it on a Google phone, does anyone have any suggestions?
I have had to do this a couple of times in the past due to a broken screen and a broken battery. The hardest part was Google Authenticator wasn't automatically restored with all my accounts, and logging into each service to set it up again was tedious.
I'm actually surprised I didn't manage to lock myself out of some service that was relying on Google Authenticator.
It wouldn't surprise me to hear if they detained a person for not doing it, but I would imagine at the very least they'd be denied entry into the country.
about 20 years ago foreigners barely speaking english have been sent to US high security prisons with latinos gang members for an indefinite period of time without charge.
This happened to this guy who had a business of super nintendo game genie or something. He spent several weeks in there before he got help from family worried he didn't give any news.
And let seemingly innocuous things incriminate you in their eyes? I think this advice should hold true in this case too: never voluntarily talk to a police or let them in your home without a warrant.
That advice is very different than suggesting that every time I cross a border follow all those steps. The advice that would be similar would be to always have your home wiped of any information just incase the police come knocking at your door with a warrant.
No, when you cross the border you are at very high risk of having your electronic devices searched. It has happened to me crossing into Canada. If I got a call from the police saying that next Tuesday they would be executing a search warrant on my house, you can be sure I'd wipe everything clean just on the off chance someone planted something illegal without my knowledge.
Sure. And freely talk to cops with no lawyer - your life if boring, right? - too. Don't make waves. Keep your head down. The nail that sticks up gets the hammer.
You can do whatever you want. Some of us prefer to live in a free country of laws and are willing to make a little noise now and then.
If you want to wipe your phone as a protest, fine. I am just pointing out that it is not good practical advice if you just want to avoid trouble, which is what most people want to do. For the majority of people, a wiped phone will trigger much more suspicion than their emails or Facebook messages would.
Fake backup, not fake device. Specifically, I think they meant that you backup your device to the cloud, then wipe the device and restore using a backup of bogus stuff that they will believe is the real device. So you are taking your real device across. Then when you get across, you wipe it again and restore from the cloud.
Problem is getting a backup where the timestamps are up to date. Otherwise, it would be very easy to see that all communications on the device stopped at the backup date.
Someone else here mentioned that they see a market opportunity for generating fake data to load on your phone for exactly this type of purpose. Something like that could work because you would be generating a fresh "fake" to load on your phone the day or so before you cross the border.
Lots of people buy used phones. If you install a bunch of apps and set a photo of your dog (or a random internet dog) or kid as the background, it probably wouldn't be all that suspicious.
Maybe, but it's trivial to take a few pictures and send a few boring messages if you're concerned about this. Also just tell them the truth. You don't want government agents going through your private personal data. We need more people standing up to this crap.
How can you be so sure? Has anyone borrowed your phone? Have you ever left your phone out of your eyesight? Are you sure you don't have any malware on your phone downloading all kinds of content without your knowledge? Has anyone you emailed or texted years ago suddenly become the subject of an investigation without your knowledge, now subjecting you to interrogation?
It's not paranoid, it happened to me. I lent my phone 18 months before crossing the border, the person sent a few messages, some of which were incriminating. I had no idea as I do not use the stock messaging app.
The border agent believed me when I said I had lent the phone and do not use this to text message (had not been used in 18 months, was used to send message to numbers not from my country, had an encrypted messaging app full of messages)
Yes it does. There was one recent case where possession of a factory reset phone was considered obstruction of justice. No I don't have a link or citation, so feel free to ignore.
If you knowingly did it to hide evidence then I can see how that would be obstruction. No different than wiping your hard drives if you think you're going to be raided.
Thats what I was trying to say. Casually wiping drives I agree shouldn't be suspicious but if you're doing something that may be unlawful and you're wiping - can't really complain they nail you with obstruction or worse.
You wanna make sure you don't get caught in the "lying to a federal agent" trap there.
That's one time a network locked phone might be handy "Yeah, I've got a newer phone that I use all the time, but it's network locked to Telstra in Australia, so I'm using an old phone for travel."
As some experts have said, this is a terrible idea. The moment you say you have nothing on the phone to the agent (because you're a l33t clever haxor who can encrypt and hide it), you've committed a federal crime. Best not to have anything on the device, and then you're not lying when you say there's nothing on there.
Let's see. Various phones are far easier to do this with than others. Also, how soon after I cross the border will I have network access again? Where will I have stored my decryption key -- not on my devices!
You could use a time-based and IP-based escrow. You don't get your data (or the key) until you are beyond a specific time and on a specific network. It's an interesting problem.
I would consider any device that's been through an inspection as potentially compromised as they could theoretically install a backdoor and access ur data later.
Maybe just using some kind of a burner phone is better.
They can already do this via singray and other cell tower acquisitions.
You don't own the baseband firmware, therefore do not trust the device.
The same is true of your desktop and likely router gear, but many of those at least require brief physical access to enable (however there's also in transit or baked in at the factory).
If you want a truly secure device demand fully open.
Yes they could, but that would (usually) assume that I'm being targeted specifically by law enforcement. They could also access my data this way, but yet they choose to inspect my phone physically, on entry.
What I'm more worried about is my data being accessed as part of yet another mass surveillance program. I'm not saying that is not already possible with other means, but I would certainly not want to make their job easier.
Honestly, it depends on how paranoid you want to get. The hassle of me totally replacing a phone is not commensurate with the likelihood of the government bugging my phone - unless they're bugging all phones, at which point they're more likely to do so with OTA software updates, or another way to access it without requiring me to pass a border.
Yes, IT sec is sort of a rabbit hole. There is always another attack vector right under. If its not software, then its firmware, if its not firmware then its the chip..etc.
Normally, you would consider where the biggest risk is and set up your security accordingly. Unfortunately, with such an intrusive, state-level actor, you have to assume the worst.
I don't; if I assume the worst, I hammer every storage device I own, and throw the remaining hardware into the dumpster, and basically start dumpster diving for 1980's computer equipment - because the worst is that they're out to get me, and have already infiltrated everything I own.
The Mossad can make your cellphone explode from a distance of 500 feet by using two matchsticks, a loop of 18 gauge wire, and an eye of newt.
If your adversary is the Mossad, or some equivalent thereof, they are going to do Mossad things to you, and you're going to die and there's nothing that you can do about it.
Call me a stoic or a fatalist or an idiot, but this is not something I'm concerned about when I'm crossing a border.
The mossad is usually not a concern when crossing the US border, but when crossing the US border for business and you have company or sensitive data with you or a device that can help get to this data, you can expect the US services will do what is required to get to the data. It's been shown by snowden and assange that the US regularly use surveillance, spying and every tool available to gain economic advantage over foreign competitors.
If your adversary is the Mossad, or some equivalent thereof, they are going to do Mossad things to you, and you're going to die and there's nothing that you can do about it.
That's a bit hyperbolic. An institution like the Mossad has literally thousands if not millions of "adversaries". They don't kill all of them. They probably kill less than 1% of them.
6. get in trouble and be detained for interrogation at border
7. Miss your flight / be added to suspect list / have your electronics confiscated / be denied entry / be sent to US prisons for an indefinite period of time without charge
You can choose more than one option for 7.
I had my phone inspected by border agent who found highly suspicious that I had no text messages stored in there, then asked me to enter the password to decrypt my messaging app then proceeded to go through the messages. I ended up entering the country because I knew of this possible scenario and had planted messages in there just in case. I know it worked because when given my phone back it was still open on the very message planted for the purpose of convincing the agent.
Also I mask my actual account on my laptop and create another with enough activity in it to pass for a real one.
I'm not going back to the US anymore in my lifetime.
Not quite related, but I'm actually thinking of getting rid of my phone for most of the day (by leaving it at home) because it just distracts me all the time.
This might be a foolish question, but I was under the impression that if you had a strong pin/password and an encrypted device, there wasn't much they could do to get the data off the device, no? Won't modern phones (I have an Android) not allow you to see any data unless the device is unlocked? I know when I plug my device into the computer, it will only be in charge mode unless I unlock it and then switch to file transfer mode.
Do the authorities have ways around that?
Also important to note - the encryption would have to apply to any external expansion SD cards or else they can just remove the card and copy the data.
Phone applications and their data are so abstracted these days, it would be difficult for even an IT expert to differentiate between cloud and local data if search takes place using the device itself (which I assume is what happens). If they connect the phone via USB and browse the contents with a workstation, that might be a different story.
Some apps won't let you access any of your content without authenticating with their servers. So even if it's local content, not having an internet connection would deny access. I can envision CBP saying they need to crack your phone to get to the local stuff.
I was thinking the same thing - for purposes of making a record of the evidence and to ensure some forensic integrity (as well as only obtaining local data) a USB connection is the best approach.
FWIW, my laptop and phone were searched going into Canada and there was no special technology used - the officer just made me unlock them and hand them back to him.
The "freedom won" described in the article is not significant. It clarifies that border searches won't routinely include using your local credentials to log into your facebook or other social media accounts whose data is not stored on the phone other than log in credentials. Yet one is still expected to provide log in credentials to the phone during border crossings. This still means that the only reasonable and sane process is to factory reset a phone or not carry one at all.
I don't see anything travelers won back. The letter is saying CBP policy doesn't allow these things, when obviously agents have been doing them. It may be against policy, but unless you reprimand or fire people over it your policy is useless.
The letter is just ass covering and the title is terribly misleading.
This seems to be a general issue with any sort of attempt to impose restrictions on police-like agencies these days - between the boundlessly sympathetic legal system, the political power of police unions and an institutional culture that distributes responsibility between superiors and "boots on the ground" in a maximally deniable way, in practice the only way to get them to abide by a rule is to get them to believe themselves that to do so is for the better.
Are they required at all to produce a list of what they are looking for, like the police must do when serving a search warrant? If not, what guarantees do people have that they won't hold/prosecute you for anything unlawful they find?
105 comments
[ 3.3 ms ] story [ 194 ms ] threadThat's not how you protect sensitive data.
Try crossing the border with a reset device and see by yourself if this makes you suspicious enough to get yourself in trouble (hint: it is)
2. Encrypt backup
3. Upload encrypted backup to cloud server
4. Delete backup
5. Wipe phone back to factory settings
6. Cross border
7. Download backup from cloud
8. Decrypt backup
9. Restore phone
This is the only sane thing to do besides not crossing the border with an electronic device at all.
Just turn on Google's backup service for apps and settings, let it finish syncing, and then factory reset. When you login to the fresh phone, it offers you that backup in the startup wizard. If you're on a good connection, restoring the backup is surprisingly fast.
I know that when I switched phones last year, there were a lot of manual steps moving between devices (the HTC transfer mechanism worked for most of that, but I still ended up moving some files manually).
I don't know how to do it on a Google phone, does anyone have any suggestions?
Edit: the other commenter knew.
I'm actually surprised I didn't manage to lock myself out of some service that was relying on Google Authenticator.
You can do whatever you want. Some of us prefer to live in a free country of laws and are willing to make a little noise now and then.
Exactly, that's why I choose not to live in the USA. Also if you're not a US citizen you have no rights whatsoever at the US border.
Problem is getting a backup where the timestamps are up to date. Otherwise, it would be very easy to see that all communications on the device stopped at the backup date.
Someone else here mentioned that they see a market opportunity for generating fake data to load on your phone for exactly this type of purpose. Something like that could work because you would be generating a fresh "fake" to load on your phone the day or so before you cross the border.
I think it's a lot less the physical hardware than the collection of data/apps/credetnials stored on it.
(Cloud phones? Phones as cattle instead of pets?)
The border agent believed me when I said I had lent the phone and do not use this to text message (had not been used in 18 months, was used to send message to numbers not from my country, had an encrypted messaging app full of messages)
That's one time a network locked phone might be handy "Yeah, I've got a newer phone that I use all the time, but it's network locked to Telstra in Australia, so I'm using an old phone for travel."
http://onemileatatime.boardingarea.com/2017/02/22/immigratio...
You: anything other that "yes" would probably be considered lying to a federal officer.
You don't own the baseband firmware, therefore do not trust the device.
The same is true of your desktop and likely router gear, but many of those at least require brief physical access to enable (however there's also in transit or baked in at the factory).
If you want a truly secure device demand fully open.
What I'm more worried about is my data being accessed as part of yet another mass surveillance program. I'm not saying that is not already possible with other means, but I would certainly not want to make their job easier.
If your adversary is the Mossad, or some equivalent thereof, they are going to do Mossad things to you, and you're going to die and there's nothing that you can do about it.
Call me a stoic or a fatalist or an idiot, but this is not something I'm concerned about when I'm crossing a border.
That's a bit hyperbolic. An institution like the Mossad has literally thousands if not millions of "adversaries". They don't kill all of them. They probably kill less than 1% of them.
There's plenty of downside to killing someone. E.g. in 2010 the Mossad horribly botched an assassination: http://www.dailymail.co.uk/news/article-1261435/How-Mossad-b...
If even 1% of their assassinations went that badly, the PR fallout would be devastating. I'm sure they're quite selective over who is "going to die".
Call me a stoic or a fatalist or an idiot, but this is not something I'm concerned about when I'm crossing a border.
There's a 100x greater chance, or maybe a 1,000,000x greater chance that the Mossad (or equivalent) compromise your phone than decide to kill you.
Worst possible advice.
Actually:
6. get in trouble and be detained for interrogation at border
7. Miss your flight / be added to suspect list / have your electronics confiscated / be denied entry / be sent to US prisons for an indefinite period of time without charge
You can choose more than one option for 7.
I had my phone inspected by border agent who found highly suspicious that I had no text messages stored in there, then asked me to enter the password to decrypt my messaging app then proceeded to go through the messages. I ended up entering the country because I knew of this possible scenario and had planted messages in there just in case. I know it worked because when given my phone back it was still open on the very message planted for the purpose of convincing the agent.
Also I mask my actual account on my laptop and create another with enough activity in it to pass for a real one.
I'm not going back to the US anymore in my lifetime.
1. Leave phone at home
How do they react to someone not carrying a phone at all?
Do the authorities have ways around that?
Also important to note - the encryption would have to apply to any external expansion SD cards or else they can just remove the card and copy the data.
Yes. The $5 wrench. https://www.xkcd.com/538/
So in practice, nothing has changed.
Wireless interfaces are deactivated, and any attempt at accessing online material is greeted with a message stating that you're offline.
A better solution would be to disallow all searches of electronic devices since this seems unnecessarily intrusive.
FWIW, my laptop and phone were searched going into Canada and there was no special technology used - the officer just made me unlock them and hand them back to him.
The letter is just ass covering and the title is terribly misleading.
https://www.eff.org/helpout
Do I turn on "airplane mode", and make the border patrol agent super-duper pinky swear that he won't toggle it back off?