Recently this story came up in the news:
Travelers arriving at U.S. borders may soon be confronted with their laptops, PDAs, and other digital devices being searched, copied and even held by customs agents — all without need to show suspicion for cause.
Like most privacy issues this subject will divided people into two camps – the left and right. Those on the left who think that personal privacy, above everything, is critical and if we don’t have personal privacy then the world will be ran by crazy dictators and fascists. Those on the right think that its fine to give up all the privacy we have because of all those crazy terrorists who have their finger over the button of a nuclear bomb, ready to release it at any moment: It is only by reading our emails and intercepting the phones calls can those boys in blue, green, or dark shades, protect us.
Ok, those two sides may be slightly polarized, and very slightly exaggerated, but you get the idea.
The argument put forward by law enforcement is that it is no different to search a computer as to searching other devices, e.g. your brief case or your suitcase. This argument is wrong, for so many reasons, but here are the two biggies: Scale and Content
Traditionally people don’t carry around tones of paper documents, and all the letters they have ever received, and especially not on multinational trips. It’s just not something you do. Electronically this is, of course, easy to do, and we do it all the time. It seems obvious to say, but apparently not obvious to those looking at privacy issues in the US.
People carry around their data and don’t delete as they don’t need to. Giving anybody access to all your data is hugely concerning, from both a personal and a professional perspective. If customs can search the laptops of travelers, without reason, then it is the equivalent of giving them a warrant to search every office in the world.
The second problem is content. People keep things on their laptop, lots of things that tells you about them and their habits, perhaps information that even they are not aware was stored on their laptops.
How many people use Outlook, Outlook Express, or AOL to download their email onto their laptop? A lot is the answer. All of those people will be allowing US Customs access to their personal emails.
What about databases? People are always moving data around (we know this as its always being lost). If there is a database on your laptop the US can have it if they “search” your computer. This will give them a huge amount of information about you, your company and/or your clients.
Passwords, now this is a biggie. Many people “cache” their passwords. This means that they type the password in and ask the computer to store it – you know if you do this because you will see dots or **** appear when you log on to something, as the password has been typed already. If you do this and you fly across the US border, this is an issue. Cached passwords, as the name implies are stored on the operating systems and can be taken out. Extracting this information, within Window’s operating systems is relatively trivial for a computer forensics investigator. What does this mean? It means the US will have access to all of your personal emails accounts, company VPN, and possibly bank details. What they do with this after wards is a whole different issue, but it only takes a stroke of a legislator’s pen to allow the US to access your data, remotely.
The risks described above are certainly a possibility, but are they plausible? Is it actually feasibly for the US Customs to take all of the laptop data in a reasonable time scale, and then do something useful with it?
In short, yes.
Hard drives can be imaged at huge speeds, up to 6 GB a minute. This means that piece of data from a 100 GB hard drive can be obtained in around 30 minutes, allowing for taking the hard drive out and handing it back again. This can also be done on mass. For example 10 people could be delayed for 30 minutes, while customs suck up all of the data. But if this too slow, programs are available just to take the active data, i.e. just the more recent/undeleted data. This would allow access to key data incredibly quickly.
Once the data has been obtained, doing something useful with it is, in short, easy and relatively cheap (given the scale). But once they have the data, they have all the time they need to look at it.
Some people, surprisingly, still think that the Windows password provides some sort of security against those in the computer forensics industry – it does not, it makes no difference whatsoever. This means that, unless a third party encryption tool is in use, that the US Customs will have access to all of your data. Pulling out cached passwords can be automated, as can building databases of communications, who is talking to who.
As the US has been buying up, and obtaining, databases for years from around the world, including the NSA obtaining phone records, it seems highly unlikely they would ignore such a huge volume of data sitting within arm’s reach of them.
Nowadays there is lots of software, commercially available, that is designed to pull together this huge information and allow people draw together assumptions about the information they are seeing, building pictures and creating conclusions.
Is it right?
Is it right that the US government is able to build up a huge network of data about you, your passwords, your personal emails, your files, your company files, your bank details, your pictures, etc, with no evidence, or even suspicion against you?
That is a moral decision, and not a technical one. But it’s one that must be taken by looking at all of the facts, and not just accepting that a computer search is the same as a search of a brief case.
On a personal note on the issue of “Is it right that the US government is able to build up a huge network of data about you, your passwords, your personal emails, your files, your company files, your bank details, your pictures, etc, with no evidence, or even suspicion against you?” I think the clue is in the question.