644 comments

[ 2.9 ms ] story [ 396 ms ] thread
Not that I ever had are reason to go there, but we can officially strike NZ of the list of places I'll be visiting.

I hope this sort of malarkey doesn't become the norm. This seems rife for abuse. If you have good enough information to demand to rifle though someone's phone or computer, you have good enough information for a damn warrant.

> I hope this sort of malarkey doesn't become the norm.

Ha-ha-ha, sweet, sweet summer boy...

Given the abusive way special courts can be set up as rubber stamps that never deny warrants, a warrant would do nothing to make me feel better about this.
A warrant? It's the border. There's no need for a warrant to inspect your suitcase. A sovereign country has the right to inspect things crossing the border.
Dual boot with one clean system and one actually in use that switch depending on the password given :) ?
Anybody knows if there are existing ready libraries for setting this up on Mac / iPhone?
Doubt it, and surely must be really hard to create given the how closed the OS ecosystem is. But I'd love such thing!
Indeed. It's been a few months I have been looking around for this sort of honeypot booting system, with no results!
It's troubling to watch one of the most amazing places on earth transform itself into a totalitarian purgatory.

Access to physical phone/laptop is only the first step -- mark my words. Big Brother's bureaucrats are never satiated. Next, we will have demands for passwords and unrestricted access to : email, facebook, photo sharing, hacker news posts, social media, etc.

I see sudden spike in the market for burner phones. ANd a long-term opportunity for a company that can create a "burner" social media profile.

totalitarian purgatory

Nitpick: in Catholic dogma purgatory is a place of purification, those in purgatory know that they are there for a reason and only for a certain time, afterwards they enter heaven. Hell on the other hand, is for eternity and ugly. That's why the two are easily distinguished in their iconography, both involve imagery of flames, but souls in purgatory look joyful and those in hell look despondent.

(comment deleted)
Honestly, thank you for explaining that. It's nitpicking, but i don't think learning is ever a bad thing.
sounds almost exactly like going through customs at the border.
Which one, purgatory or hell?
They share a common border.
Thank you very much for the explanation,
Perhaps limbo would be more apposite.
Factory reset and wipe your device before travel, and restore when you get to your hotel. I’m a privacy nut and while this is a disturbing trend there exist straightforward work arounds.

EDIT: I do this all the time and it’s not even remotely difficult or a big deal.

Restore from where?

Are you giving all your data to the evil likes of Apple, Google and Microsoft?

>there exist straightforward workarounds Exactly and that’s why this a problem. This law will never catch anyone that actually is troubling for NZ because anyone who is shady, already uses some workaround.

Now it will only bother and waste time of people who are serious about their privacy to apply this workaround as well.

Nail on head! This does not increase real security and it is a real privacy violation. Dumb lose lose authoritarianism. Disappointed that smart Kiwis do something so dumb
While I don’t agree with this law, it’s not dumb. Security is about defence in depth. A determined attacker might have a way around this law, but perhaps not every criminal would know about this method, or think to use it.

It’s easy to scoff at blunt-tool laws because you can think of a way to undermine them. But law and society are built on a patchwork of imperfect systems which can individually be broken, undermined, manipulated or worked around. In aggregate, they do achieve some semblance of a result, because they are layered together - even if each one alone provides only a marginal element of security.

This will probably be another tool to catch unaware (and generally desperate and uneducated) drug mules. The ones some gang managed to convince to swallow a couple hundred baggies of cocaine.

I guess that helps the country's well being but hardly a violent target.

How do you do this with an Android device without spending hours restoring it?
Or even iOS. Just downloading all the apps takes many hours on a fast connection. Restoring 2FA is also a PITA
I consider a few hours restoring from a backup while I sleep to be a pretty small price. To some people this might be a huge inconvenience, I suppose. I mean, think about it: Hours without access to Instagram. HOURS!!
How about not having a stable connection? That's something I encounter a lot where I travel.
So it might take a little longer. Who cares? It’s a phone.
When I arrive at the airport I use my phone for maps, my travel info, my contacts, my reservations, busses, trains, taxis, uber, messages with people I'm coordinating with, my travel notes, etc...

Or are you suggesting I should camp out in the airport for a few hours to restore my phone before I can figure out where I'm going and get ahold of my contacts?

Oh let me guess. Your solution so to print those contacts and maps (oh, no GPS to figure out where I am on that map) and use a pay phone (because I still need to re-install the apps I'd normally be using to contact people). Heck, I don't actually have phone numbers for > 90% of my friends. I just have them on Facebook, Line, WhatsApp. The only people I have phone numbers for are for people who've been friends longer than about 15 years, in other words before messaging

Maybe I’m just too old or unimaginative, but none of these objections seem like serious showstoppers to me. This is straying far from the original topic but now I’m curious: How would you survive if you were to accidentally lose your phone while traveling, or if it got stolen? One can (and should) be capable of being a functioning adult without a cell phone.
This discussion is about taking a phone with you while travelling and be secure from border searches. Sure, you can leave the home but this is not the point of the discussion.
Why is this about survival? My commute to work is 20 miles. I drive because it's convenient, quick, and practical. I would survive without a car. I could walk for 6+ hours, work for 8 hours (snacking while I work), and then walk another 6+ hours back home. Or I could pitch a tent in my office parking lot and just live out of it during the week. It would be shitty survival, but doable, right?

It's absolutely possible traveling without a smartphone. I've done it plenty of times before smartphones became a thing. But smartphones make it so much easier.

These are all problems you have created by over-dependance on a single point of failure.

It's honestly kind of lazy not to take precautions, particularly when it's that easy - you've already listed out exactly what I'd suggest, and it's how people muddled along for decades in the before-times, more or less successfully.

I would suggest learning how to read maps. It's really easy, especially in urban areas. Find the nearest intersection, and look where it is on the map. There you are.

What a condescending comment.
And when I travel, I usually stay at hotels which means crappy internet.
> How do you do this with an Android device without spending hours restoring it?

There are plenty of backup tools available on the internet, this isn't really a problem with Android. Personally that's what I do each time I travel abroad. Both because I might loose my phone/laptop and because on can never be sure what software/content is legal(or not) in this or that country.

Some people got jailed abroad for content/software that would be deemed legal in my home country, on their computer.

The problem is that a full backup on Android requires root, which breaks a lot of security guarantees and isn't even always possible. As far as I'm aware, there is no possible way for me to backup my non-rooted phone, wipe it and restore is as if nothing happened.
"There are plenty of backup tools available on the internet, this isn't really a problem with Android"

Name one and describe the process. So far everything I have tried takes hours and often loses a bunch of settings that need to be restored manually. It requires significant amounts of work. Also it seems most tools need a rooted phone

> Also it seems most tools need a rooted phone

A minor inconvenience given the legal risks. If you don't want to deal with that just get yourself cheap used gear dedicated to travel purposes.

You still haven't named a single tool or process.
A simple search on Google will yield plenty of results, if you are not willing to do that or even explain which solution you tried yourself and what failed, I'm not going to waste my time recommending an alternative solution to your problem either. In fact I just provided you with another solution which you didn't bother acknowledging.
I have done plenty of research and I couldn't find a solution to backup and restore an Android phone quickly without losing all kinds of data and settings.

I have used the built in backup to Google and noticed that restore takes many hours and a lot of apps lost data and settings. It took considerable effort to get back to normal. Definitely too much work to spend on my first day of vacation.

A burner phone may work but then you don't have access to all your data.

`adb backup`. All you have to do is turn on developer mode to enable adb, root is entirely unrequired. You might need to log into accounts again, I'm not sure. Do note that this can take a while, depending on whether you back up your sdcard and how much storage is in use. You can choose to backup individual apps, or everything, to use encryption, etc.

If you install TWRP recovery (root is only required for the installation, not the maintenance), you can do a full-phone backup.

The only thing I can think of is to make a full backup of /system, /data (and /sdcard) with something like TWRP, move it to a small, encrypted usb drive (bonus points if the partition on the drive is hidden and there's a legit partition as a decoy). Then you just have to restore from your backup, which you would already have locally. Save the backup elsewhere before you leave home if you don't want to lose everything if the usb drive is lost.

That is all a major pain in the ass and, as others have pointed out here, those that want to do harm are likely already doing this. I wouldn't expect normal folks to be able to do this, nor should they have to in order to preserve privacy.

Requires root in my (limited) experience. TWRP + Titanium Backup does the trick pretty quickly.
I did that for a while. But it's still quite a bit of work to get the phone ready after it has been wiped.
And how do you restore the phone? I assume you travel with a laptop? What happens when they want access to the laptop?
iPhone + Chromebook / other laptop, wipe everything to factory defaults before encountering customs. Use full disk encryption.

Login to a cloud server that has your backups / restores / setup scripts / data. Preferably encrypt those backups before you upload them to the cloud server.

Only reason why I don't do it more frequently is it's a pain in the ass. I've been fairly impressed with iOS's backup restoration system recently.

Only had to log in to a specific set of services for everything to be back to normal.

This system is definitely a great way to test your backup restores!

Also: Don't use email for any semblance of secure communications.

Do you always stay at places with high bandwidth available?
No I don't, so I might be not doing a full restore. If I'm on vacation, I might only install a few apps and risk my vacation photos being snooped on by customs coming back. Or I might pre-download installer packages and if I'm very paranoid verify their hash values online later.
>Login to a cloud server that has your backups / restores / setup scripts / data. Preferably encrypt those backups before you upload them to the cloud server.

>Only reason why I don't do it more frequently is it's a pain in the ass. I've been fairly impressed with iOS's backup restoration system recently.

Interesting! My gripe is I haven't found a way to do a cloud backup of an iPhone w/o putting the data in iCloud, which I do not trust.

I'd prefer to make my own backup which I store/pull down manually... is that possible?

My assumption is that if a country is nosy enough to want access to a device, encryption is irrelevant since they'll just demand a PW, so ideally I'd like to wipe the device then pull a backup down later.

You can do an encrypted backup of your iPhone via iTunes, archive it and then move it to whatever you want to. You can also put that backup inside some sort of encrypted container before you upload. You might feel like its redundant to 'double encrypt' your backup, but iOS wont back up a bunch of stuff if you don't encrypt the backup, so you should still do it.

You can also use some sort of E2E backup software like arq or restic, dig through it's archives and download your iphone backup that way.

https://support.apple.com/en-us/HT204215

Treat devices as volatile cache rather than permanent storage.
As long as you don't let them plug it into anything and it doesn't leave your sight, that should be fine. As soon as it leaves your sight or they plug in a hack-yo-phone box, you might as well throw the phone away. Who knows what zero-days they can stash on there.
Yea, if I was a terrorist, that's exactly what I'd do. That's extraordinarily inconvenient for me as a regular tourist.
Happened to my friend when we were crossing, freaked me out. He's actually a dual citizen of U.S. & Canada! I am an iOS user. My thought was to just buy an older iPhone with a cracked screen (anything that uses the same SIM style), use it with no data, and put the SIM back in your stowed-away primary phone after crossing.

    > I see sudden spike in the market for burner phones. ANd a long-term opportunity for a company that can create a "burner" social media profile.
I am sure that some folks will try those things and it may work for a while, but the way things are going, it's not going to matter whether you bring your device, a burner, or nothing at all. All it will take is one more 911-like crisis and inevitable fear-mongering.

Then, your online profile is going to get mined along with everyone else's, continuously, by multiple state-level organizations who cooperate with each other-- whether you've booked travel or not.

By the time folks get to a border it will just matter of diverting anyone with a "red X" next to their name.

I have spare factory-reset phones and laptops for family/friends who visit - in case they choose to travel without devices.
question: what countries on border entry can demand usernames/passwords to online services?
All countries can demand it. They are sovereign.

Are you asking which countries do demand it?

I think you should read that as: "Which countries have laws which allow border inspectors to demand usernames/passwords to online services?" Those which do demand it are a subset of those which can demand it.

Your sovereignty argument is such an extreme interpretation of the question that it's almost certainly not what plg had in mind - if plg did have it in mind, then I find it hard to believe that question would have been asked in the first place.

Consider the question "what countries on border entry can draw and quarter entering citizens?" Your viewpoint seems to be that the correct answer is "all of them", yes?

Laws are irrelevant.

What are you, the individual, going to do when a border agent takes your device and demands your password? “We’re just going to take this for a few minutes, what’s your password? Oh you won’t tell us? Sit in this room for 400hrs. Ok, thank you, you’re free to go, enjoy your stay.”

Nothing. There’s nothing you can do.

Lodging complaints after the fact doesn’t unviolate you.

You can be a renown children’s author and the best you can hope for is an apology.

http://www.abc.net.au/news/2017-02-25/mem-fox-detained-at-lo...

And that from an ally. Not just any ally, Australia is the US’s best friend.

Yes I was asking which countries are known to routinely demand login credentials for online services, and I don't mean who does it for a small number of persons-of-interest but I mean who does it routinely?
That would be hilarious:

Room Temperature IQ Goon (RTG): Give me your facebook password

Me: I don't know my facebook password

RTG: How do you login?

Me: I have a service to hold all my passwords

RTG: What is that service and what is the password

Me: Lastpass, but I don't have the second password

RTG: Second password?

Me: Yes, it requires me to use a U2F token to generate a second password

RTG: What is a U2F token and give it to me

Me: I leave it at home for security

RTG: Give me your phone

Me: Hands over 3310

RTG: Your real phone

Me: I don't travel internationally with a phone that have any data on it that I care about.

Of course the real solution is that I don't travel anywhere.

Your fantasy scenario (oh so satisfying) is very similar to this: https://xkcd.com/538/ Consider the truth therein.

> Of course the real solution is that I don't travel anywhere.

That is considerably more realistic, sadly.

> All countries can demand it. They are sovereign.

"Sovereign" is a fancy word that boils down to, we have enough police- and/or military power at our disposal that we can force you to do it.

No; you are never forced to visit foreign countries. It's more along the lines of: you want to visit, you play by our rules.
> It's more along the lines of: you want to visit, you play by our rules.

PoTAYto, poTAHto

Or in the case of a citizen of said country it’s, “you want to return home, play by our border rules, and btw you have no citizen rights because the border isn’t the country.”
Can a border agent refuse entry to a citizen of a country?
The EFF might have some resources that answer your question.
I have never had a Facebook account. How can they demand something I have never had?
Twenty years ago, Nicholas Negroponte pointed out the irony that when he passed through Singapore customs, they searched his atoms but not his bits.

Is being searched before you get on a plane or enter a customs checkpoint some kind of hideous infringement of your civil liberties? No!

There’s no problem with this in principle. The problem is that it’s silly, and it causes a privacy and security violation while not accomplishing anything.

> Is being searched before you get on a plane or enter a customs checkpoint some kind of hideous infringement of your civil liberties? No!

Of course it is. We're simply used to it, because we're sheep and cowards. But it is. Searching everyone, without probable cause or reasonable suspicion of anything, is a violation of civil liberties, and of basic human decency. It's also pure theater and useless.

And because we have accepted this, other privacy agressions seem justified.

Hey Tloewald, please don't pretend to speak for everyone when you say "being searched" isn't a problem in the first place.

It's not a problem for you, fine. I'd ask you to let me search you but that'd only be to prove a point, so by all means keep accepting it. But when you say it's not a problem, you do not speak for me.

It's pointless, degrading, and above all it's sad that you and many others accept it without questioning it.

The principle here is people can agree to surrender some of their privacy for safety. The problem isn’t that searching my bits is a greater violation than searching my atoms, but that it’s not useful. Right now there’s no pattern of bits I can carry with me to blow up a plane and in any event I could easily bypass the search.

I’m not thrilled by the social contract, but it’s a good deal more convenient than driving across country.

I'll sometimes surrender some privacy for some form of safety or convenience, but that safety/convenience has to exist, not be theoretical.

Positive example: I use Google Drive. I know full well Google could read and analyze all my shit if they wanted to. I surrender to that possibility in exchange for the very cheap and convenient online storage I get.

Negative example: Fuck the TSA and all its theatrics. Those aren't useful. Please do convince me they are; I don't see anyone even trying to pretend they are.

I'd say read your history books young Millenials. Read about East Germany in particular because they are the ones who did it on a large scale in an analog world, where every third person was an informant. Very "1984."

Don't think technological terror isn't terrifying because in many ways it is the most terrifying of all. To live in fear day in and day out--fear of the goons breaking down your door. Fear of being dragged away in the night because you spoke out or complained or because a neighbor with a grudge turned you in to the secret police. Fear of not knowing what happened to people you care about and whether you are next. This all happened ten million times over.

Witness how many of your peers are taken in by leftist rhetoric and how easily people will give up their right to self preservation and self defense to the state.

There's over a billion Chinese living in a totalitarian system today.

The misery is very, very real.

It is an infringement. I certainly don't think I should have to explain everything in my bag to little hitlers.

I'm willing to entertain arguments that it is a worthwhile trade-off, but we must acknowledge that it is an infringement on everyone's rights.

Every additional infringement should come with a justification, an analysis considering whether it will be effective, and a harm minimisation strategy.

> Is being searched before you get on a plane or enter a customs checkpoint some kind of hideous infringement of your civil liberties? No!

No. But they are looking for items that would make the flight unsafe, as well as controlled substances.

If they are searching your bits, they are not looking for either of these things, they are looking for thought crimes. Not only now, but in your past.

There is a big difference.

Searching me for the means to harm people on the plane, bring it down etc is one thing.

Searching everything I've ever said or done online, my personal photos etc etc. is an entirely different proposition.

There are huge problems with this in principle!

Lets not get too excited. There were about 40 million passengers transiting NZ airports last year, according to Wikipedia.[0] The article says roughly 540 devices were searched in the same time period. That's 0.00135% or basically a dozen people per million being searched.

That hardly seems like totalitarian overreach. In fact it seems quite restrained and pretty reasonable - and presumably must be intelligence led, since I rather doubt they are doing this at random...!

0. https://en.wikipedia.org/wiki/List_of_the_busiest_airports_i...

"At first I did not say anything because they were only after ...."
Wait until they get more efficient at it. This kind of thing can be highly automated with software that only has to within a tuned degree of certainty determine who else needs additional screening. You can tune this precisely on how many humans you have around at a given time and can facilitate the "Enhanced search" of the devices.
Has anyone taken a steganographic approach to this? Just have a bunch of pictures of cats (or something more believable, like porn) in a partition, then you overlay sensitive data (encrypted). So you don't have a mysterious partition that is easily found. Obviously you can't store a ton of data that way though. You could even take the same approach with the program itself, hide it inside something else. (I imagine it would still be detectable by someone sophisticated enough, but might make it more difficult)
Right but there will be just be a law that specifies anyone trying to purposely circumvent the search will be accused of a felony. Of course the vast majority will agree because of "safety" and "if you have nothing to hide...".
As a "stupid thought experiment" that's a fun thing to consider. (Somewhere I've got a proof-of-concept perl script that steganographically embeds PGP encrypted messages into an image of the FBI logo and posts them to Twitter. I would not ever actually use it in anger... I still have the private key for all my test/gag posts, just in case I ever need them...)

But if you're _actually_ crossing a border into a country where there's internet access, why would you risk carrying any data that you wouldn't put on a postcard across that border? If you need it, download it after you've got there.

The next step here is to ask Google to have an API that, when plugged in and password is entered - just downloads and "verifies" your data for compliance. Bit by bit all the freedoms will be eroded.
The step after is an "express pass" that has you download software that constantly monitors your usage and uploads it to TSA and related. Helpful widgets and dashboards will be available to see at what level of compliance you're at and used like a credit rating for participating in society.
While I know they have such imbecile laws, I just avoid visiting this country.
Sadly, if your username implies Australia instead of not-in-Kansas-anymore - we're almost certain to get even stupider laws than this fairly soon...
This only applies to those passing through international customs, under 4 million arrivals last year, half of them Australian, who bypass customs anyway.

Searching for the 540 figure it appears to be mobile phones only, there was another 300 computers. So ~840 searches for 2 million people.

https://www.mbie.govt.nz/info-services/sectors-industries/to...

https://fyi.org.nz/request/1119-how-many-digital-devices-are...

I agree; your 1 in 2500 figure gives a slightly different picture of things... About 30x as many travelers being searched.

/* I guess adding mobile and computer searches is wrong though, since some sizable fraction of computer owners have a mobile and would thus have had both searched. So maybe 650-700 searches? Doesn't change the magnitude of the resulting figures much, I suppose. */

Umm, no, Australians don't get to bypass NZ customs. What if we had some seeds or dirt on our shoes? Or <shock> some fruit?

But yeah there wouldn't be many searches.

On the other hand let's not get complacent.

At all.

In other words, there is a 0.00135% chance you will be fined $5000.

...anybody wanna sell insurance?

Riddle me this - what is the alternative? Don't look at a phone? Why do we look inside suitcases? Why have the concept of customs?

We search things across borders for things our country does not want. We don't want drugs. We don't want fresh fruit (which will trip up more people than drugs).

We don't want child porn. And if a phone is a container for that content, we want to be able to explore the container.

Of course, there's a million different ways around this. Get burner phones. Store content in the cloud. Have seven firewalls. Whatever. But that doesn't change the concept of inspecting things across a border to make sure things we don't want, don't come in.

And if that's a totalitarian purgatory, then name a country (or external border for the EU) that isn't a totalitarian purgatory.

(comment deleted)
What about "probable cause" or "innocent until proven guilty"? Why would I have to accept being strip searched without a warrant?
At a border, you have no rights.
That's not true in many countries.
But I wonder why. If I am a resident of a country, why is that my rights suddenly go away at the border? Why is it that I have rights when I step out of the airport but when I am in it, I have no rights.

I am not criticizing what you said, I am curious.

Because they can. Civilisation spent centuries building up rights and due process, and then the authorities suddenly decided none of it mattered in this specific context because we let them. We should be livid. It's an absolute disgrace and an embarrassment to post-enlightenment humanity.

I can't use the visa waiver program to travel to the US because I was arrested once. Not convicted of any crime, mind you, just arrested. In the rest of society it's a pretty strong principle that guilt is decided in courts, not by police officers. No matter: anything that makes you seem less than the lowest possible risk is enough to deny you something. No presumption of innocence, no visa waiver program for me.

My girlfriend's mother has applied for a family visa that would allow her to immigrate to my country (where her daughter lives) permanently. The application takes several years. In the meantime she applied for a tourist visa to visit us for Christmas later this year. It was denied. We can only speculate why, but of course I suspect that since she has demonstrated a desire to immigrate permanently, the authorities consider her at risk of overstaying the visa. A mother who has done nothing wrong can't visit her daughter for Christmas because of this, and it makes me furious. She has no intention of overstaying: if this is why they rejected the visa it is again an assumption of guilt instead of one of innocence.

I wonder if there is any way to make it an election issue in any country. Parties seem to be unanimous on the topic, and most people don't travel, so it's probably not much of a pull for votes. Influential people travel more though.

> Influential people travel more though.

And probably have sufficient influence to sidestep most such problems.

Clearly the U.S. political system isn't interested in anything that sounds like weakening border security. I think we're all going to be suffering indefinitely.

Which is something we should never have accepted in the the first place, and something that should change immediately.
Yes, that's the actual problem.
Given the content of most people's phones, a file by file phone search should be considered at least equivalent to a strip search, maybe even a cavity search depending on how freaky the person gets with their selfies.

Worse still is it's a nonconsensual, uninformed strip search of any sexual partners that person has...

I get your point....but a similar and more worrying thing is happening at the Canadian/US border right now.

Entry to the US can be denied (for life even) if the customs agent suspects the traveler has involvement with Cannabis.

That includes having investments in Cannabis companies.

So if the take my phone and find any information on it connected to Cannabis I could be barred FOR LIFE from entry into the US.

That means that I am leaving a country where that is legal, and entering into a state that it is also legal some border gaourd can ban me for life - even if all I did was search for "Cannibis legal in Canada".

Where does it end?

That objection seems orthogonal to the point though. The US could make it so that owning a blue shirt means you are barred from the US for life. They open up your suitcase and find a blue thread.

Ultimately it's the law itself rather than the enforcement of it that you're objecting to.

Cannabis use is considered a “crime of moral turpitude”. So it’s legality elsewhere is irrelevant to the US.

However your scenario is inaccurate. Just as having a google search about murder weapons won’t bar you for life neither will search history about cannabis. They may ask why your interested in it... But learning about a crime is not equivalent to commiting the crime.

Even just having investments in Cannabis stocks can cause a lifetime ban https://www.ctvnews.ca/canada/why-investing-in-pot-could-pos...

>Even though Znaimer didn’t admit to personally using pot, he was given a lifetime ban anyway because of his investments in U.S. marijuana companies, he said.

>In one case, Saunders said an Edmonton man received a lifetime ban from entering the U.S. simply because he was a part-owner in a Colorado building that leases space to a pot dispensary.

So what is stopping them from denying entry due to search history?

The rationale in the US law is that the crime is an equal moral failing to murder. That may be irrational to you and I, but that is the law.

Just as being an accessory to murder would be considered "very bad" so too would supporting cannabis use in any way. According to US law he is investing in a criminal enterprise, similar to funding a cartel in Mexico. The law doesn't match the common person's perception of severity, but the US border guards will enforce the law as written.

Again, none of this prevents you from merely learning about cannabis. It requires action of some sort to further the use of it.

By that logic, if you owned property that was rented by a murderer, you should be banned as an accessory to murder. It's absurd.
Its more like leasing a room knowing it was Dexters kill room. That said I'll go no further justifying US pot laws. But the failure is in the severity assigned to the "crime", everything that follows is rational if you accept the premise that it truly is akin to murder.
This is kind of thing is not new. Canada doesn't let people with DUIs enter the country. They also inspect electronics and have for a number of years.

And marijuana is not legal anywhere in the US at the moment. There are simply some states that don't have state level criminal laws associated with marijuana.

> We don't want child porn. And if a phone is a container for that content, we want to be able to explore the container.

I could be 100% wrong, but I feel like you could check every digital device entering the country all day with 100% accuracy and have less than a 1% impact on the amount of child porn (or any other digital contraband) being trafficked.

One of the problems with this is that it is trivial to evade for someone intent on serious wrongdoing. A person who manufactures child porn for money, for example probably won't use their phone to transport it across a border. They'll transfer it over the internet, most likely in a surveillance-resistant manner.

Instead, these kinds of searches catch people who don't know they're doing something illegal, or who the government finds undesirable due to their associations or business activities that are legal in their home jurisdiction. They may also be used to map out networks of contacts.

I do not want governments doing the things in the second paragraph.

I was in Wellington during the GDPR protests. Instead of arrested and fining those who illegally searched and handed over Kim Dotcom's servers, they just changed the law to make it all retroactively legal; making spying legal on all citizens.

At least they banned software patents.

For others saying something to the effect of "we let them search our X already, so the phone is a logical step and not a big deal," you've already given up your expectation of privacy, so you can't understand why others would want to keep it. This is the slow creep of the state with concomitant erosion of liberty.

In a few short years, you are the ones who will be justifying any of the following on grounds that "they already do the less-invasive thing, why not one step more?"

- Mandatory fingerprinting (USA does this for foreigners in some airports)

- Declare all cash, declare all crypto (with addresses / xpubs)

- Bank account logins

- Register electronic devices / install software trackers

- Hair sample for drug testing

- Cheek swab for DNA

- Blood draw to check for diseases / drugs / DNA

The Feds will already have most of this information now.

They've long had your bank account information (thanks to the PATRIOT Act). They probably have trackers installed on the chipsets of devices, but ignoring that, we know they are capable of intercepting most internet traffic.

Most people have their fingerprints taken, either as the result of a run-in with the law, legitimate or otherwise (clerical error). Or because they were incentivized in some manner (TSA Precheck). Federal IDs are rolling out now too.

In the UK and NZ they're already looking to stop people from buying burner phones with cash.
Come on... 2nd hand phone you can buy from gumtree for cash.
But you still need a connection. They practically want a blood sample when you try to register a SIM.
Bringing a blank phone with you isn't really a problem, but getting a local SIM can be.
> getting a local SIM can be.

I just picked up a new one for a work project at the local supermarket yesterday - $1NZD.

Which provider? I noticed (too late) that the airport SIMs have special overpriced plans. I'm used to paying ~$10/GB for data in Australia, it seems to be about double that in NZ without going on a plan.
I went to NZ fairly recently and I went with Skinny Mobile. It was 10G for $46 - 28days (Ultra Combo). No idea if it's still available or not.

It automatically renews though, so I had to remember to cancel it when I left.

I bought a 2 degrees one, but I'm pretty sure they had Skinny and Spark as well at the local New World. Easy to setup with just a credit card, or could've used one of the voucher cards which I'm pretty sure can be bought with cash.

Both here and in the US, I've found that airports usually are not good places to get SIMs - there seems to be some agreement whereby the expensive ones aimed at tourists are all that's available. Supermarkets or department stores tend to be my go-to.

In Australia they have to record the details of the person buying the phone, but suffice it to say that relying on someone making minimum wage at a supermarket to enforce national security isn't particularly effective.
Just buying a phone at the supermarket doesn't make the SIM work.

When I registered my last SIM, I did it online and they wanted Drivers Licence number and a lot of other info that I felt was quite a lot just so I could use a phone.

Yeah they try to track when people have lots of phones registered to them. But last time I did it they were not able to correctly validate international passport numbers. Or you could just buy validated sim cards from poor people or international travellers.
> We're not going into 'the cloud'. We'll examine your phone while it's on flight mode

This law isn't too bad as far as a compromise bill goes. The problem is a lack of accountability. Three fixes and I'd be okay with it:

1) Officials must document their reasons for finding a "reasonable suspicion of wrongdoing";

2) Travellers should be able to challenge the search in a court proceeding to occur no later than close of business the next day (traveller must surrender their phone to the court in the interim, but is free to leave the airport after that); and

3) Searchers cannot (a) copy data from the phone while searching, (b) turn off airplane mode or (c) take more than [2] hours to conduct their search.

Not saying I agree with your "not too bad" assessment. But your list is incomplete without considering the violations of third parties who have shared items in confidence that are now on the local device.

So:

4) All third parties (meaning people other than the traveler) who have their privacy violated in the process must be informed immediately of the full details of the privacy violation. Which communications, pictures, etc. were viewed and or copied and by whom, and how to follow up on these violations.

> All third parties (meaning people other than the traveler) who have their privacy violated in the process must be informed immediately of the full details of the privacy violation

This isn't a requirement when e.g. police search an office and so wouldn't seem appropriate in this case. NDAs, explicitly or implicitly (through statute), tend to exempt courts, regulators and law enforcement.

I think you're thinking of cases where there is a search warrant and the potential harm to third parties has been weighed against the needs of the investigation, which should be predicated on a robust assessment that determines that this particular case justifies the harm.

I don't think leaving the decision up to the agent at the point of entry, or basing it on some kind of random selection, is as robust as a good quality court issuing warrants. Though I'm contradicting my point elsewhere in this discussion about being generally skeptical of such courts.

Many (most?) NDAs between companies represented by competent counsel do have notification provisions (if Company A is compelled to disclose information covered under the A/B NDA, Company A is required to inform Company B of the fact [unless legally prohibited from doing so.])
Historically, I'm unaware of any country where you're entitled to require a court order before they can inspect your belongings when passing through a customs inspection at the border (and almost everywhere they don't need any suspicion of wrongdoing—they could, if they wanted, go through every paper everyone carried in, with the more or less sole limit of diplomatic bags).
> I'm unaware of any country where you're entitled to require a court order before they can inspect your belongings when passing through a customs inspection

I agree, but I think historical precedent with books and papers is different from our phones. Note that my process still defaults to allowing the agent a casual search. The traveller simply has the right to call foul and require the agent to produce their reasons in front of a judge.

The key difference between searching someones suitcase and their phone is that people don't generally carry their medical and financial records in paper form when they travel.
Medical and financial records have always been legitimate things to search by customs. You may in fact be denied entry if you don't have them in paper form, in some cases.
To some extent yes - I have experienced the financial side of this - but those are generally just statements to prove you have enough money to stay in the country until you leave. Just the same with medical records stating that you don't have an infectious disease.

It doesn't include your entire history of financial transactions and investments, nor does it include a history of all operations and procedures that you had done.

It's a huge security concern. You should give your passwords to no one: zero/no people. I wouldn't do it just out of personal security. It's not a matter of just changing it either. Your can't put a device password in a password manager,, so that's going to usually be one of your highly secure passwords. It shouldn't be used many places, but you still need to change it everywhere afterwards.

Just from a basic security perspective, this is teaching citizens it's okay to give your password out to authorities, and that's just fucking terrible.

Privacy Commissioner John Edwards had some influence over the drafting of the legislation and said he was "pretty comfortable" with where the law stood... "You know when you come into the country that you can be asked to open your suitcase and that a Customs officer can look at everything in there."

Evidently, severe brain damage is no hindrance to securing a commissioner's appointment in New Zealand.

Devil’s advocate: what _is_ wrong with that logic? If we accept that customs can search our persons or luggage as a condition of our entering a given country, what is it about digital materials that makes them off limits?
Also there could be explosives/drugs and other stuff in Luggage. What is the threat of shit on my phone?
Your `/docs/plan-to-hijack-airnz-plane.txt` file might be seen as slightly dodgy?
The problem is, `/docs/plan-to-hijack-airnz-plane.txt` can easily be downloaded from the cloud once you're in-country, so you can just not keep it on your phone. This is a significant difference compared to bring in explosives (as an example), where searching your luggage would actually be effective.

Again, this law will primarily inconvenience / harm law-abiding folks, while not preventing the "bad guys" from doing what they want.

Digital Materials are an extension of your brain, a window into your files, a key to your bank account and safe deposit box. The government doesn't get to access those, the shouldn't get to access my phone?
Because there is a HUGE difference between the contents of your luggage (some clothes, maybe some souvenirs, etc.) and all of your digital accounts (personal pictures, credit card numbers, access to banking, home address, etc.) I don't really care if the TSA look at my underwear, but I don't want anyone, especially low level employees, having access to every single aspect of my life.
You are classically Missing The Point.

Historically, your luggage would contain personal pictures, credit card numbers, general banking statements, generally personal information, etc. The medium in which this information is stored and carried around has changed.

The need to inspect what you're bringing into the country has not.

These processes didn't originally come about because people wanted to inspect your 5 different pairs of underwear or what personal devices are exploring where the sun don't shine. The people decrying this as some sort of over reach are basically just admitting ignorance to the fact that these processes are just lagging behind how people actually carry and transmit the same information they've been inspecting for nearly a century. It's just a small update to continue doing what border patrol has always been doing.

What's actually problematic is the there's so much information housed together on one device. In border patrol/guard/police in customs/etc attempt to, again, continue doing what they've always been doing that particular advance in policy and process has incidentally lead them at the forefront of a lot of information people used to either keep in their homes or just in their head.

Personally I think this more of a data organization problem than it is a government over reach one. It definitely needs to be discussed. It doesn't need to include tired cries of a 1984-esque future.

(comment deleted)
It’s much harder for them to do something nefarious with physical documents. Not impossible, but it doesn’t really scale.
This is a classic case of a law that will only effect your average (law-abiding) citizen.

If you have something to hide, it would be trivial to store it on a web storage service that those searching you would have no way of knowing you possess (how would they know you have an account on some obscure storage platform that you paid for with monero? Or even just information stored in S3, they would need a list of all users linked to passport numbers for every service available around the world, since if they don't block VPNs you'll just use a service not available in NZ). So you wouldn't have it physically on your device, but you would be able to access it just as easily in 2018.

Or a free solution would be a noise.raw file that is actually an encrypted volume (many encryption formats are indistinguishable from random data).

they would need a list of all users linked to passport numbers for every service available around the world

At this rate, I wouldn't be surprised if in a few years, a person needs to punch in their SSN (or the equivalent in whichever country we are talking about) simply to access the internet and any service on the internet.

But for today's case - this is just security theater. Just a reminder to average Joe that he can be harassed anytime.

I don’t think that’s true, people weren’t carrying around every photo they ever took, and even then they took a lot less photos. People did not carry around all their banking statements all the time, etc. It’s an order of magnitude problem; yes, sometimes, people carried around those things and their diaries or whatnot, but this is more akin to giving the people the keys to your house, so they can make a perfect copy of to rummage through at their hearts content and find everything in it, and then wiretap your house.

This process came about because the public hasn’t demanded privacy protections as much as it has demanded safety, not out of any logical extension for existing policies.

> People did not carry around all their banking statements all the time

No, but you definitely needed to have your banking information on you when traveling for an extended period of time, especially internationally.

>It’s an order of magnitude problem

I think we're talking past each other. This was my "data organization" point. All the data is now housed together.

> not out of any logical extension for existing policies.

Why do you say this? I outlined how it was a natural progression and you just went "nah."

Basically I don’t think that this logically extends from suitcases to full phone access in the same way I don’t think that the right to bear arms allows you to train and arm a private army with tanks and fighter jets. At some point, it stops being a logical extension of a rule and starts being of a different kind due to changes in magnitude.

Here, a country may be concerned about objects being physically brought into their country, but to be concerned about a persons digital life is a concern of a different kind, because of the scope of that search. It’s not a logical extension in the minds of most people who understand that magnitude of difference. I really hope I can convince you too!

I don’t think that border patrol was (in any meaningful numbers) catching financial crimes because people brought their bank accounts or private letters across borders. I really do not buy that this is a necessary step to fight crime at all (if it were, where are the unsolved crimes? What tragedies would have been prevented?) I think this was catching people moving cash/drugs/weapons off the grid and it can still function in that capacity without forcing digital searches.

Instead, this just grossly invades the privacy of tourists who don’t think to bring a burner phone.

>Basically I don’t think that this logically extends from suitcases to full phone access

I get that you don't think that is the case, but you're not really explaining why you believe so.

> but to be concerned about a persons digital life is a concern of a different kind

But as I said, they're just inspecting the same thing they've always been inspecting. The medium is different and it incidentally happens to be housed with a bunch of different data that historically was kept separate, purely for technological reasons.

You're implying that the cause here is "concern over a person's digital life" but you present no statement or proof that's what these policies are actually aimed at. I think it's fairly obvious that it's a simple reconfiguration of a policy to adapt to changing habits. And if it's not obvious I think the statements from government agencies explaining these policy changes shed further light on why it's being done. But you need to have a reason you believe this to not be the case. It can't just be.

Let's review some statements that hit on some of the above points:

Here's Canada, actively instructing people about to handle sensitive information: https://www.priv.gc.ca/en/privacy-topics/public-safety-and-l...

>Individuals entering Canada who are concerned about how this policy might be applied may wish to exercise caution by either limiting the devices they travel with or removing sensitive personal information from devices that could be searched. Another potential measure is to store it on a secure device in Canada or in a secure cloud which would allow you to retrieve it securely once you arrive at your destination.

Here's New Zealand's review of why they're changing the law: https://www.customs.govt.nz/globalassets/documents/c--e-subm...:

From page 63:

>Customs’ interest in relation to digital files is in the following enforcement areas:

> * Intercepting prohibited or restricted items

> * Identifying infringements of intellectual property rights

From page 64:

>Our Act does enable us to enforce the law in relation to the following prohibited goods when they are in a digital format:

> * Objectionable material and images – “objectionable” has a very broad definition under the Films, Videos, and Publications Classification Act 1993, and can capture material ranging from violent or degrading sexual images to material that encourages criminal acts or terrorism

> * Designs for weapons or for other items of potential military use

> * Designs and blueprints for making nuclear, biological, chemical or radiological weapons.

Pretty far away from "concerns about a person's digital life."

>in the same way I don’t think that the right to bear arms allows you to train and arm a private army with tanks and fighter jets.

This analogy in no way is relevant to data organization and transmission. It's pretty hyperbolic and distracts from any point you are trying to make.

Let’s for the sake of argument assume that the governments stated reasons are what they are going after. Is the off chance that someone carries objectionable pornography, designs for nuclear or chemical weapons on their personal phone (instead of emailing them encrypted, or following the state’s own guidelines on how to avoid being searched) worth the ability to search everyone’s personal phone without some kind of judicial oversight? How many people are estimated to be doing so? How many people did they used to catch via the old papers method but cannot anymore? The burden of proof should be on the state who wants to infringe on the privacy of travelers.

I mean, to me the fact that they acknowledge that anyone serious about privacy can take measures to circumvent it pretty much blows the story that this will be effective at catching people smuggling weapons designs or other serious crimes out of the water.

>This analogy in no way is relevant to data organization and transmission. It's pretty hyperbolic and distracts from any point you are trying to make.

I’m trying to make the case that clearly magnitude affects whether or not something is a reasonable extension, perhaps poorly. But you’ll surely concede that doing something at increased scale often changes the nature of that thing? And that’s what I’m saying here, you aren’t just giving away what would have been in your suitcase, you are giving away the keys to your house, car, mailbox, safety deposit box, diary and family photo album. That means it changes the nature of the request, and can’t be considered along the same lines as a suitcase.

>Let’s for the sake of argument assume that the governments stated reasons are what they are going after.

Okay but there's no "sake" about, that's literally what we are trying to establish. If you don't believe that a logical progression of existing laws and processes into new mediums is there reason why these policy changes are taking place, contrary to basic reasoning and explicit statements from these governments while pushing for these changes, you have to have an actual reason why you believe this not to be the case.

>I mean, to me the fact that they acknowledge that anyone serious about privacy can take measures to circumvent it pretty much blows the story that this will be effective at catching people smuggling weapons designs or other serious crimes out of the water.

There are plenty of ways to get away with murder but that doesn't mean we take it off the law books because of its efficacy. That's a really silly view point.

>But you’ll surely concede that doing something at increased scale often changes the nature of that thing?

As I said in my original post, it's worth discussing and certainly worth finding a solution too. But the particular governments we're talking about have well stated reasons for their policy changes, they aren't doing it to be draconian. We all started clumping our data together. Governments didn't increase the scope of what they were looking for.

>That means it changes the nature of the request, and can’t be considered along the same lines as a suitcase.

But that's exactly what it is. There's a reason we have have "files" and "folders" as basic user data organization schemes. Border policies haven't actually changed in any of dramatic fashion. Again we just started storing more data by other data, data they were already inspecting. You might argue that this little fact is the basis for why the policy should be changed, but you have to actually argue it.

> The need to inspect what you're bringing into the country has not.

True. It went from zero to.. zero.

I'm pretty sure it's extremely import to inspect what people are bringing into the country. Besides the financial... tools that people can bring into a country there's a whole host of other items that can negatively impact the country, and not just from a social aspect:

* Invasive species. This includes plants, not just animals.

* Drugs

* In times of known or potential epidemics, screening people for obvious sickness.

* Weapons or tools that could be used for the purposes of terrorism.

Why would you say that there's no reason to inspect what people are bringing into your country?

1) All of those also apply to inter-region travel within the same country. Should those have guarded borders too? Shouldn't there be guarded borders between neighborhoods in the same city, just to make sure that nothing bad spreads? Hell, why not run around "inspecting" people's houses at random, just in case?

2) None of those are digital, so your earlier justification is moot anyway.

I'm well aware none of those are digital. That was exactly the point, to provide reasons outside the scope of the current conversation, since it's clearly being debated in this thread. I don't think you can really debate the above reasons therefore there is absolutely a need to search you as a person and your belongings when crossing a border.

As to your first statement, ignoring how disingenuous it is, if those standards did have a reasonable justification for applying them to inter-regional travel the fact that we do not apply those policies to inter-regional travel does not negate the justification for applying those policies on the international border. It's not binary.

> As to your first statement, ignoring how disingenuous it is, if those standards did have a reasonable justification for applying them to inter-regional travel the fact that we do not apply those policies to inter-regional travel does not negate the justification for applying those policies on the international border. It's not binary.

So what is that justifying difference that you seem to think exists?

National sovereignty, which historically simplifies to war-time allegiance. This is a common classification for governments of nation-states imposing travel restrictions. Are you asking if it's justified?
(comment deleted)
If you bring a suitcase full of bananas in to Australia, customs will take them and detroy them, and probably prosecute you.

If you bring an electronic device in to Australia full of 0s and 1s that can be decoded to display as pictures of bananas, customs will just think your a bananaphile and shuffle you along.

Digital goods are fundamentally different.

You can’t cross the border, buy a suitcase, then download a bunch of bananas to fill it.

You can cross the border, buy a phone, then download instructions from your terrorist boss.

Whatever else these digital searches are I don’t know, but they’re certainly ham fisted to the point of embarrassment for the agents and agencies.

An equivalent example would be giving customs permission to search something private and located somewhere else, such as your house, simply because you're entering the country. This is an obvious and disgusting overreach of authority.
It's got your whole life in there. It's like allowing them to search your house first.
difference is that if they keep something from my suitcase, I will know. I have no such guarantees when they access my phone unless I see what they are doing.

That means, that you should expect your device and all access tokens on that device compromised.

I mean, they could cut copies of any keys you have on you, so you don't really have any guarantees there either, and you should therefore expect your locks to be compromised. Or they could photocopy any paper documents, etc.
Difference is , they need to break into your house to steal your bananas. Here, they steal the bananas along with the key.
I store information on my phone like my private thoughts, because I know that it’s an encrypted, secured device I always have with me. I wouldn’t store that information on paper — the best analogy is that it’s a backup of parts of my brain.

When you go through customs, they can’t just search your brain. They can search your possessions, but they can’t mind dump you.

That’s the critical distinction. It’s not my property that’s the problem. It’s that it’s an extension of my brain.

They only reason border agents don't use a mind-dump machine is that they don't have the technology.
Continuing the "devil's advocate" perspective, perhaps the thinking that phones are an extension of the brain is the wrong way to think of them.

> I know it's an encrypted, secured device I always have with me

What if you didn't know that? What if you thought of it as just a suitcase?

If someone carries a notebook that contains printed pages of encrypted material, what is the expectation?

Whatever the answer to that question is, the expectation shouldn't change based on what medium the material is stored in.

Are border agents allowed to read your diary? What if you put a simple lock on it?
IMO it's the breadth and depth that is possible with our digital property. It's one thing to search the digital equivalent of some luggage (maybe the contents of a cellphone) and another thing entirely to be able to search through the entirety of one's digital property, which I see as the digital equivalent of authorities searching through your home, your car, and any other property you might own.
Let's start that you've been visiting a website called "Hacker News". Explain that to the customs goons when they ask you what is it.
I find it fine for them to require looking through digital material. The problem they have is that the digital material is complete nonsense without also having a password to decrypt it with. What should be off-limit to law enforcement in general are the secrets we keep in our memory.
My suitcase doesn't contain:

+ Communications with my lawyer

+ My private health information

+ My detailed financial information

+ My communications with significant others which may be of various degrees of sfw

+ My work files, including proprietary or secret information

Any of those things would absolutely require a warrant, and may even require a specialized warrant in some cases (communications with my lawyer, health information).

This is a nuanced topic (border security), and while I think there's slippery slopes (and their associated fallacies) in both directions, it is true to say that you are very free to share none of those things with border security, and border security is very free to not admit you to the country.
In most countries, border security isn't entirely free to run rampant over your basic freedoms. Privileged communications (eg client/attorney) is an extremely important basic bastion of freedom and law, and violating that (which in this case seems incidental, not intentional) is a mockery.

Sure, any country is welcome to violate that norm, just the same as any country is welcome to force it's people in labor camps for insulting Dearest Leader. The rest of the world is also welcome to respond appropriately.

> In most countries, border security isn't entirely free to run rampant over your basic freedoms.

Can you give me an example of a non-EU country, or an EU country admitting a non-EU citizen, that has strict rules on how a visitor must be treated?

Primarily because you are not preinformed for the search. There is an expectation that your luggage may be searched, hence you dont put your favorute fetish items if you are easily embarrased. Most people don’t expect to have their sexting history searched (and possibly easily copied). Even if it has become legal, it is not a widely known practice, which means that in practice it violates human rights. Someone should take this to court, even if the only gain to be expected is Making it widely known, and -hopefully- people will stop voting to enable these authoritarian practices.
The contents of the phone aren't going to blow up a plane nor are they going to shoot someone in the head. Pretty obvious.
Some material that can be stored on your phone is not permitted into New Zealand, like child pornography.

If you had that stored in your suitcase, it can be discovered, and a prosecution started.

If you had that stored in your phone, it can be discovered, and a prosecution started.

Phones aren't magical parts of your brain, that can cross borders without being inspected. There's no digital 'diplomatic pouch'. Just because there's lots of sensitive goodies inside doesn't mean it's immune to inspection. Why would it?

Well, for one, it's a gateway into services/data that are not being brought into the country. I don't store a complete directory of all my contacts in my suitcase, why should the government be able to collect that from my phone? My phone can connect to my email and retrieve information, no one would print out their entire inbox and carry it in a suitcase...
That argument is silly because all those things could also be stored (encrypted) on cloud servers and downloaded from NZ at any time. Trying to protect the country from CP via border checks is like a comedy skit to me.
There is a digital diplomatic pouch though, it's called "the cloud". Anyone that wants to smuggle illegal bits and bytes into a country can simply do it over the Internet.

The reality is, nothing on your phone can cause actual danger to anyone in the way that guns or a bomb can.

I find this cloud argument rather weak.

So you have two ways getting illegal contents into a country. Instead of preventing both measures (which is what governments are trying to do [1]), you are suggesting ignoring one of the ways because the other way currently works?

The whole point of the customs and laws is to prevent any sort of measures to getting illegal contents into the country, either physically or via the cloud. Just because it is currently possible to do it via the cloud, does not mean the customs should give up checking physical devices.

[1] http://time.com/5344265/3d-printed-guns-legal/

Yes. Because it's too intrusive to search people's phones without probable cause and a warrant. I don't doubt that searching everyone's phone will result in criminal convictions. I do doubt the value to society in doing that.

3d printed guns are a simple bug in US law -- guns are controlled, but ammunition is not. Easy fix, make the ammo require a permit. Homemade guns are no longer a problem.

Please don't post personal attacks to HN. If you don't owe better to the Privacy Commissioner of New Zealand, you at least owe it to this community not to degrade it like that.

Also, in the case that your view is correct, stooping that low discredits the truth. That's bad for everybody.

https://news.ycombinator.com/newsguidelines.html

You're quite right. I had regrets after posting that knee-jerk comment. Oddly, my dissatisfaction is heightened by the ridiculous number of upvotes I received from that post. I shall strive to improve.
Appreciated!

It's an unfortunate weakness of the voting system that knee-jerk comments tend to get highly upvoted. HN can't go by upvotes alone.

Is there a SaaS provider specializing in storing encrypted images of phones?

The idea being that before you travel, you upload the encrypted image and wipe the phone, then after passing through customs you restore.

> before you travel, you upload the encrypted image and wipe the phone, then after passing through customs you restore

That sounds like willfully evading customs, which is a serious crime.

I wipe some of my phones on regular basis and sometimes restore their data from backups (or not).
> I wipe some of my phones on regular basis and sometimes restore their data from backups

I do too. But if you systematically do that before going through customs, with the intention of denying a customs agent the data, that's a different intent. Intent matters when it comes to the law.

I'm not so sure it's that clear. (I'm not a lawyer)

If you can lawfully download a phone image over the internet while in the country and you can lawfully enter the country with no or limited digital information on your person then I don't see how backing up your phone in a different country (where New Zealand has no jurisdiction) and legally downloading the backup in New Zealand is evading customs.

Another (presumably) legal scenarios would include backing up all of your data, carrying no phone into the country, and then purchasing one while there. Is that "evading customs"?

Neither am I a lawyer, but the key part is if you're (a) doing this as a regular security precaution or (b) doing it specifically to evade customs. If it's the latter, it's probably illegal. If it's being done for legal reasons, it's legal.

Something I've noticed those of us who work with computers having difficult with when it comes to the law is the way intent changes the legality of an action. Wiring money to person X is generally legal, unless done so for the purpose of acquiring illegal contraband. At that point, both the illegal acquisition and the wire become illegal.

Neither am I a lawyer, but the key part is if you're (a) doing this as a regular security precaution or (b) doing it specifically to evade customs. If it's the latter, it's probably illegal. If it's being done for legal reasons, it's legal.

Twice now you've expressed this belief. Please share some primary sources that inform your beliefs.

So taking a knife out of my pocket and leaving it at home before boarding a plane is a serious crime?
Hey everybody, this individual is evading customs!
>That sounds like willfully evading customs, which is a serious crime.

Do you have any citations or evidence that choosing to back up this line of thinking? I'd love to read more about the specifics of how downloading legal data from the internet suddenly becomes illegal if you could have carried it across the border.

For example, if once in NZ I pull down new music onto my device from my iTunes cloud library to replace what I listened to on the plane, is this "evading customs"?

Please provide citations to the specific law(s) I'm breaking by doing so, and how downloading the legally purchased music would be any different from a PC image.

Thanks!

(comment deleted)
Apple? Upload to iCloud (it's supposed to be encrypted!), wipe, restore.
How about Android?
Google surely has all your data but I've no idea how you can get it back.
For what it's worth, iCloud provides this for Apple devices.
I don't think you need a special provider... at least on an iPhone, it only takes a few taps to wipe it, and then when you restart it, it immediately gives you the option of logging in with your Apple ID and restoring from your last backup (which is automatically made nightly, and reportedly encrypted).
I use the iCloud Backup feature on my iPhone. It does not back up every night. It seems to be every other day or so. Right now, it reports that my phone was last successfully backed up 26.5 hours ago.
My understanding that it tries to do a backup every 24 hours, but only if it is both connected to a power source and on Wi-Fi.
That was also my expectation. I leave my phone plugged into the charger and on Wi-Fi every night while I sleep. Nevertheless, the iCloud Backup status usually shows that the last successful backup was more than 24 hours ago.
a few months later:

>New Zealand travellers refusing to give up icloud/google passwords now face $5000 Customs fine

If this becomes the norm, then I can see a startup offering "convincing" email, browser history, social media profiles, photos and telephone call lists to present to customs.

Give those pesky 5 eyes poison data of a fictional life via a 2nd phone.

The problem with this approach is that just like a cover used by a spy, you'd have to memorize all the details. One slip would blow this phony profile, then you'd be in jail for making false statements to a govt. agent...
this already happens.

one case I know about: tatoo artists travel the world for work as guests in different studios. most do so under tourism visa sice its only a couple months each place. their managers (and online forums) already have a list of things that can be in the luggage and in their phones and instagram feeds so that they really do look like tourists.

security theaters is security theater.

It would probably be easier not to bring a phone and just buy one when you arrive.
I already do this when traveling.

I have my travel phone which I pop a SIM card into when I land, and I have my normal phone which I leave at home. I don't do it for privacy reasons, but just in case I lose a phone, I'd rather lose my crappy Motorola with a few contacts in it and a few chat apps, than my iPhone X with my entire life in it...

But that looks awfully suspicious, so they might ask you for passwords to your online social media accounts etc.
That ultimately doesn't matter. You tell them it's a travel phone, because you fear losing your expensive regular phone. Your social media accounts have elaborate, long passwords that would be impossible for a person to remember and are stored in a password manager at home (countless formulations you can go with in this story).

At that point there's nothing else they can get from you, the odds are overwhelming that'll be the end of the discussion. There's probably a one in a million chance that eg the TSA might detain you for a few hours out of spite if they think you're screwing with them.

This wasn't quite as bad as I thought it was going to be when I read 'digital search'.

It's still a huge disaster of a law, though. It's an unnecessary invasion of normal citizen's privacy, while not stopping actual criminals.

(comment deleted)
> "A lot of the organised crime groups are becoming a lot more sophisticated in the ways they're trying to get things across the border.

Is this the new "think of the children"? The reasoning seems to be, criminals would rather carry their "digital crime-thingys" across the border saved on their phones, than upload it (encrypted) somewhere on the internet... Or is NZ planning to build a Firewall as well (better than China's)?

waiting for kimdotcom to weigh in ...
Anyone who cares will just use a burner phone when they travel.
There’s a border patrol show on Netflix and they show a few phones being searched. It’s pretty clear it’s not about terrorists and bad people having bad files in the cloud. It’s about people coming on a tourists visa and working. They’d find all sorts of emails talking a out a job.

I don’t think that’s a valid excuse to search devices though. If anything I think it proves work visas need to be more accessible so people don’t have to lie their way in for a job.

>There’s a border patrol show on Netflix and they show a few phones being searched. It’s pretty clear it’s not about terrorists and bad people having bad files in the cloud. It’s about people coming on a tourists visa and working. They’d find all sorts of emails talking a out a job.

Yes, those are non-citizens requesting entry. This sounds like it applies to everyone - including NZ citizens.

And regardless, searches need to be proportional.

Full blown cavity/strip searches at random could cut down on the importation of illegal drugs, but civilized countries require a reasonable suspicion for invasive searches.

Why not apply that logic to digital devices?

Why not apply that logic to digital devices?

They did, at least according to the article. But it's a low hurdle, and cops quickly figure out the script to bypass restrictions like that.

It's no different than the mishandling of trained drug sniffing dogs so that they alert at the handler's command, rather than at drugs/bombs/money/whatever. Countless cars are stripped at border crossing and the side of the road because a cop didn't like someone's attitude.

I really want phone makers to allow me to unlock into separate enclaves on my phone. I.e. If I use 1234 as my unlock pin, it goes to my normal phone. If I use 5678 instead, it unlocks to a separate user account with its own notifications, pictures, apps, etc., similar to a truecrypt hidden partition.
But then you'll find yourself in a situation where you could possibly be lying to the customs officers.
Out of curiosity: Is lying to customs officers illegal in New Zealand?

I've lied to a great many people, including police officers on duty. They can't take me in if I wish them "a good day", or can they?

I'm not sure about verbally lying to customs officers, but in my country (Australia) I know that lying on your customs declaration is an offence (making a false statement on an official document or something like that). The flight attendants have to read out a little script including that after they hand out the declaration/entry cards. I expect NZ is similar.
It's not only illegal to lie, it's illegal to fail to answer truthfully. Customs and Excise Act 1996 s 185.
Entering the US, an honest slip-up can count as a lie and see you barred indefinitely.
(comment deleted)
It can turn out like this -

Officer - Do you have multiple pins on your phone?

You - (if you say) No

Then you lied to an officer. They can also find it out.

> They can also find it out.

How do they know you lied?

"It's a work phone. There's an administrative account I don't have access to."

This is already true of laptops, and with some simple setup beforehand that wouldn't be a lie. I highly doubt any customs officer would press further than that.

(comment deleted)
Have a random number of partitions and answer yes.
Xiaomi does this with MIUI's Second Space feature. Different pins or different fingerprints take you to their intended space of the phone
If you enable it, there's that "switch to your second space" permanent alert you can't hide or dismiss.
"A lot of the organised crime groups are becoming a lot more sophisticated in the ways they're trying to get things across the border.

So they've realised they can bring data into a country on a smart phone with a password. Law enforcement will really be screwed once organised crime figures out the other options.

So, it might basically be ”worth” it to just smash your device(s) instead of refusing and paying the fee. Im not gonna do that, just raising an interesting point.
It's probably more worth it to turn around and not enter the country; unless it's your country .. in which case if you have the money, it's probably better to refuse and see if you can get a court case started to challenge it.
> The new requirement for reasonable suspicion did not rein in the law at all, Mr Beagle said. > > "They don't have to tell you what the cause of that suspicion is, there's no way to challenge it."

This makes me particularly uncomfortable. There should be reasonable grounds.

> Border officials searched roughly 540 electronic devices at New Zealand airports in 2017.

That does seem low, out of what I assume is hundreds of thousands of travelers. With that said, it still doesn't sound reasonable.

I hope the spread of this sort of thing helps push forward general implementations of owner customizable Views and associated triggers of our systems and data rather then the long standing default of binary access/no access. All the technical foundations for this exist right now, and in the case of Apple in particularly they've already got it all together in every modern iDevice. They've got a well hardened and integrated HSM, data siloing and per-file class based hierarchal encryption ("Data Protection"), large amounts of sensors, biometric readers capable of discerning multiple inputs, and an interface amenable to adaption so that even regular users could intuitively understand a View system. Plus for mobile there is an entirely non-security related aspect which is growing in the public consciousness: our limited attention and mental focus budget.

With all that what I'd like to see is a simple interface to create arbitrary numbers of custom Views with associated triggers. The default one would be as we have it now: everything you load is visible at all times after unlock. But then you could create a new one, and select which apps (and in turn associated data in that app silo) appear and which preferences are accessible, then have a "This view will be made active when..." with nice UI for various key conditionals (time, geography, speed, network connection, biometrics, and/or password). It'd then be easy to ensure that while traveling between locations only maps, ride hailing and airline apps would be available for example. If anyone stole the device, or for that matter compelled it in any other way, none of my financials or private info would be available. I couldn't even be compelled to do it at that location, it'd be genuinely out of my control, backed by the same hardware crypto system providing standard FDE. This isn't even about government fully or even in large part, in dangerous parts of the world just as modern device net locks reduced the value of stealing a device a spread of "tourists and the like literally cannot be made to transfer money or the like on the street" could reduce the incentives for certain crime.

And again it'd be a very grokable common sense feature for the attention issue too. These days information overload and things trying to grab for some of our mindshare is a huge source of stress. I'd love if my devices, rather then always being a matter of adding on, started being able to actively help me subtract instead. I could compartmentalize work apps to only even "exist" away from home, no temptation or notifications even show up. And vice versa, entertainment distractions vanish as I enter certain locations. "Willpower" is something of a limited resource too and in practice often comes down to essentially planning ahead to avoid temptations in the first place, not going to the grocery store when starving for example. Our digital devices should be, at our individual direction, automatically helping us as humans. I think that'd be a valuable next step anyway, but the fact that vastly more powerful and user friendly coercion code type systems could be made widespread too would also be helpful in taking back some of the privacy digital can also take away.

QubesOS enables some of this today, at high setup cost.

iOS12 Shortcuts may enable this in the future, if apps can be tagged by users with custom metadata, which then drives a OS-wide policy engine.

iOS "Screen Time" has arbitrary categories of apps, some of which incorrectly classify social apps (like Flipboard) as "Reading". This need to be customizable based on user priorities.

>QubesOS enables some of this today, at high setup cost.

While I think that it can't really work as I envision without hardware integration, in addition user friendliness is in fact a key part because this is another case where widespread adoption would have a kind of emergent "herd immunity" effect. The effect of introducing kill switches ("Activation Lock" in Apple terms) for phones is a good example. From an NYT article from that era [0] following Apple's general push of the feature:

>"Comparing data in the six months before and after Apple released its anti-theft feature, police said iPhone robberies in San Francisco dropped 38 percent. In London, they fell 24 percent."

>"In New York City, robberies (which typically involve a threat of violence) of Apple products dropped 19 percent and grand larcenies of Apple products dropped 29 percent in the first five months of 2014, compared with the same time period from 2013, according to a report from the New York attorney general’s office, which included data from the New York City Police Department. By comparison, thefts of Samsung products increased 51 percent in the first five months of 2014, compared with the same period a year ago, the report said."

Now, with jailbreaking before that it was already possible to have a relatively effective remote kill switch type of feature, and there were even commercial jailbreak products to that effect (or to try to track it down and find it). But when only one in thousands or tens to hundreds of thousands of phones might have something like that, it wouldn't have any larger effect beyond the specific feature working as intended and rendering the phone unusable (or letting it be recovered maybe). For criminals playing the odds it made no material difference overall, if they occasionally got a phone that "broke" after stealing it they'd just toss it. But once it was universal it changed the math on even trying in the first place and became not just a response but a deterrent.

By the same token if everyone had an easy level of adaptive viewing, it'd change the math for everyone else as well. And as a very compelling response to an entirely separate popular demand, if it was everywhere and normal it'd be a lot harder for even governments to single anyone out over it. Even government resources are not in fact infinite, and it's an important check on power as to whether they can engage in mass sweeps or must devote significant individualized attention to each case.

>iOS12 Shortcuts may enable this in the future, if apps can be tagged by users with custom metadata, which then drives a OS-wide policy engine.

I don't think Shortcuts can really handle this, at least not on a stock device.

>iOS "Screen Time" has arbitrary categories of apps, some of which incorrectly classify social apps (like Flipboard) as "Reading". This need to be customizable based on user priorities.

Screen Time on the other hand might represent a small step in this direction. I'd be excited if it was!

-----

0: https://bits.blogs.nytimes.com/2014/06/19/antitheft-technolo...

I mean, they're not blocking VPNs, they're not blocking the transfer of encrypted files. Why on earth would it matter whether or not they did a "digital search"?
How does this work for employer-provided devices? I'd be violating my employment contract and could be fired for providing customs with my password.
I have the same issue. I believe that technically my employer could be in violation with some of the contracts we have with some of our government customers.
(comment deleted)
(comment deleted)
I worked in a role that had rather strict rules about our devices and data. We were given a different phone and laptop to take when traveling, and VPN'd back to the office once there to access our files. The devices were just entry level Blackberry/iPhones and Thinkpads (this was a decade or so ago) with nothing on them except a local copy of the corporate contact list. No email accounts set up, no calendar set up, etc. We were to VPN in for all that stuff when not local (tether laptop to phone if not on wifi and needed email).

If we were questioned at all about it (I never was, but others were), we were told to give them a business card from our direct Manager, and contact them with any questions. I have no idea what the Managers were trained to say or how they dealt with it as I was pretty low in the totem pole, but I assume there's standard practices out there for this.

Not criticizing you but that's terrible advice. Not only is it pointless, it exposes the traveller to criminal prosecution. Why would a customs officer acquiesce?
(comment deleted)
It would be a pretty pointless law if "my employer says I can't" were a defence. I mean, they are targeting organized crime...

I'm pretty sure that part of your contract would be invalid in such a case, especially if you were instructed to go to NZ.

I had a clause be put in my contract that government orders overrule NDAs. Not gonna stick my head into that wasp's nest where I have obligations both ways. Didn't even think of traveling, rather some court order or request to provide evidence or something; but yeah, this is the kind of logic I had that be put in for.

Not that I'll give it up without question, especially for something pointless and overreaching like a border search of digital devices, but still.

Anecdotal, but most employers I've seen have a clause in the handbook about not taking their devices with you during international travel.
> The updated law makes clear that travellers must provide access - whether that be a password, pin-code or fingerprint - but officials would need to have a reasonable suspicion of wrongdoing.

Does the Law in NZ have any provisions against self-incrimination? The US has the 5th Amendment, some countries in the Americas signed the American Convention on Human Rights. How does NZ deal with this issue?

Can't it be considered that providing a password to a safe or personal device is akin to being a witness against oneself?

The 5th amendment doesn't apply to non-citizens and doesn't mean as a US citizen that your device can't be confiscated on potentially frivolous suspicions.
In America the Bill of Rights applies to all people, irrespective of immigration status when dealing with criminal law. Immigration law is administrative, not criminal, which is why this behavior is allowed to occur in the States.
The 5th amendment doesn't apply to citizens, either. It applies to the government.

And the instructions to the government make no mention of citizenship status. "...nor shall [any person] be compelled in any criminal case to be a witness against himself, nor be deprived of life, liberty, or property, without due process of law..."

The 4th amendment likewise applies to the government, and makes no mention of citizenship.

"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

The 14th amendment: "nor deny to any person within its jurisdiction the equal protection of the laws."

The government, of course, holds that physical searches at border crossings are reasonable searches, and therefore do not require warrants. Since Riley v. California (2014), SCotUS established that searching the data contents of electronic devices is unreasonable to do after an arrest, and therefore requires probable cause and warrant. They still have not applied that to searches of border-crossers' electronics, and different federal appeals circuits currently hold different positions on it. Hopefully, SCotUS will soon rule that forensic analysis of electronics at border crossings requires individualized suspicion, but the current nominee debacle does not give me much confidence.

I might be wrong on this but according to this updated video[0] by James Duane, things have changed considerably due to Obama and a recent Supreme Court decision and even using the 5th improperly can be used against you.

[0]https://www.youtube.com/watch?v=-FENubmZGj8

The law specifically says self-incrimination is not a reasonable excuse.
All these laws should come with a stipulation that, if nothing is actually found on a device that actually helps law enforcement protect the civilians, after say about 5 years the law is rescinded. Really, such laws should have to come up for re-approval at an interval anyway.

Anyone who has something to hide will either be smart enough to hide it or not bring the device altogether. Really all they're doing is annoying those who are not a threat.

Law enforcement organizations have exactly zero qualms about simply concocting up cases that serve their political aims.
As if criminals as a class are smarter than the average. Oh they will be caught by this! Example: The amount of people that have felt the urge to show me pictures of their baby marijuana plants is scary. They carry those pics everywhere on their phone! And it's not even like they need those for work.

Don't go around saying how it doesn't work. It makes the life of criminals harder. So it absolutely works. People will be caught by this. The question is: Is it worth it to lose the right to remain silent over it? In my view: Never.

seems like this is relatively easy to circumvent.

Taking a laptop means running tails or having a second partition, something simple/windows to boot up. Customs just wants to see a desktop im guessing.

as for file searches on the phone, its a bit more complicated...

1. run syncthing on your phone, send your data to the cloud.

2. wipe/factory reset the phone. now you're ready for that inspection.

3. restore/load once on the ground and in your hotel.

So have a travel flip phone or ship to US ahead of visit.