in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Customs and Border Protection Admits They Cannot Search Remote Data

Earlier this week, the US Customs and Border Protection (CBP) responded to Senator Ron Wyden's inquiries regarding electronic device searches at US borders (more specifically, airports). As numerous media outlets have relayed, CBP "admitted" that they do not have the authority to search data that is "solely" in the cloud, data that is not the on a device itself but could easily be accessed via a smartphone.
The implication, it appears, is that CBP does not want to risk accessing information that could exist in servers located on proper US or foreign soil – that is, outside of their own jurisdiction – and which could require a proper warrant.
But aside from that, CBP reiterated that they have the right to conduct searches on data storage devices. The inclusion of the word "solely" in the response, experts surmise, means that emails, text messages, and other information that exist both in the cloud and a device is fair game.
In addition, CBP apparently admitted:
that travelers can refuse to unlock their devices or hand over their passwords, but if they do so, CBP officials have the right to detain the device. [neowin.net]
 

A Couple of Things of Note

As interesting as the above may be, taking a look at the actual letter(PDF) had plenty of surprising things to reveal that wasn't covered elsewhere.
To begin with, it appears that CBP can search your belongings for absolutely no reason ("do not require a warrant or suspicion") – it wasn't "just a feeling" that they were doing it, it's actual policy. In addition, they will limit when they'll search a device's contents based on geographic location. In a footnote, the following can be found:
Border searches of electronic devices do not require a warrant or suspicion, except that following the decision in Cotterman v. United States, 709 F.3d 952 (9th Cir.2013), certain searches undertaken in the Ninth Circuit require reasonable suspicion of activities in violation of a law enforced or administered by CBP.
The implication here is that, somehow, entering the US via the west coast guarantees a little more rule of law than entering the US from elsewhere (the Ninth Circuit is comprised of Alaska, Arizona, California, Hawaii, Idaho, Montana, Nevada, and Washington, as well as Guam and the Northern Mariana Islands).
In addition, the letter pointed out that searches of devices are "exceedingly rare… less than one-hundredth of one percent of travelers arriving" to the US.
This means that devices searches are less than one in 10,000 (which translates to 0.0001 or 0.01%); it also implies that searches are somewhere close to this number. That does seem rare indeed. Except, let's put that in context, shall we?
According to the US's own government data (PDF), 77.51 million international visitors traveled to the US in 2015. For Americans going abroad, it was 32.78 million; one assumes most of them will return. Applying that 1 in 10,000 figure above, it translates to approximately 11,000 devices searched. It might be relatively small to the number of people entering the US, but it's a pretty big number in its own right. I mean, can you imagine 11,000 phones laid side by side? Where do they even store all this stuff?
For an everyday comparison, take the instance of car crashes. According to this site, over 37,000 people die in road crashes each year. There are about 323 million people in the US. That means 1.15 in 10,000 people die in car crashes every year in the US. Those figures are pretty close to the number of devices searched by CBP.
Now, ask yourself, does it feel to you as if car crash deaths are exceedingly rare in the US?  

One Final Thing

In a question, the Senator asked whether (my emphasis) "CBP is required to first inform the traveler that he or she has the right to refuse to disclose a social media or email account password or device PIN or password"?
The CBP's answer, while long, does not address the issue. It would appear that the answer is "no, there is no such requirement."
Not sure why you'd perform verbal jujitsu instead of coming right out and saying it. It wouldn't be unexpected of people who can perform "border searches of electronic devices [that] do not require a warrant or suspicion."
 
Related Articles and Sites:
http://www.nbcnews.com/news/us-news/border-patrol-says-it-s-barred-searching-cloud-data-phones-n782416
https://arstechnica.com/tech-policy/2017/07/us-border-agents-we-wont-search-data-located-solely-on-remote-servers/
https://www.pogowasright.org/border-patrol-says-its-barred-from-searching-cloud-data-on-phones/
 
<Previous Next>

Australia Looking To Compel Electronic Message Decryption

NIST Guy Who Came Up With Hair-Tearing Password Requirements Says He's Sorry

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.