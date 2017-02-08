Please create an account to participate in the Slashdot moderation system

 


Government Privacy United States

US Visitors May Have to Hand Over Social Media Passwords: DHS (nbcnews.com) 145

Posted by msmash from the privacy-woes dept.
People who want to visit the United States could be asked to hand over their social-media passwords to officials as part of enhanced security checks, the country's top domestic security chief said. From a report on NBC: Homeland Security Secretary John Kelly told Congress on Tuesday the measure was one of several being considered to vet refugees and visa applicants from seven Muslim-majority countries. "We want to get on their social media, with passwords: What do you do, what do you say?" he told the House Homeland Security Committee. "If they don't want to cooperate then you don't come in."

  • Against TOS (Score:5, Interesting)

    by Anonymous Coward on Wednesday February 08, 2017 @10:13AM (#53825681)

    At least with FB it's against the TOS, and if you sign on from an unfamiliar IP, it would try other challenges to validate your identity.

    • Re:Against TOS (Score:5, Informative)

      by dmomo ( 256005 ) on Wednesday February 08, 2017 @10:25AM (#53825801)

      It's against the TOS for the user to let another access their account via the password. I didn't see anything in there about being on the receiving end. I would say it's implied, but it's not explicit. So security would be effectively forcing the user to violate the agreement with Facebook. Not sure how that plays out legally, but I'm assuming Facebook has every right to terminate their account for complying with the security check.

      Here's the clause:

      "You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
      You will not transfer your account (including any Page or application you administer) to anyone without first getting our written permission."

      • Re: (Score:2)

        by Kagato ( 116051 )

        Because it's against the TOS, it's against the Computer Fraud and Abuse Act. CBP is asking people to commit a felony. The United States Court of Appeals held just last year that sharing password and allowing access contrary to the TOS is a violation. There are people in PRISON right now for commit this crime. I would not recommend doing it and Facebook should make a statement that what DHS is proposing is against the law.

        If DHS wants to do this they need to ask congress to add an exemption to the CFAA.

        • Re: (Score:2)

          by tsqr ( 808554 )

          Because it's against the TOS, it's against the Computer Fraud and Abuse Act.

          18 U.S. Code 103018 U.S. Code 1030(f): This section does not prohibit any lawfully authorized investigative, protective, or intelligence activity of a law enforcement agency of the United States, a State, or a political subdivision of a State, or of an intelligence agency of the United States.

      • It's also against the 4th amendment:
        "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated..."
        I would argue that an on-line account is an effect of a person (actually in both definitions of the word) and the constitution does not exclude non citizens.

        Just disgraceful what my country has done to it's charter document.

        • Re: (Score:2)

          by tepples ( 727027 )

          At the border, any and all "searches and seizures" are considered "reasonable" for purposes of the Fourth Amendment. See Border search exception [wikipedia.org].

          • Exactly this Tepples, I was just coming here to post that...

            The outright ignorance of the far left on almost every topic these days, combined with their continuous manufactured out of proportion outrage is honestly ridiculous.

            NetworkBoy, you may want to educate yourself and/or get out of your echo chamber before posting on a topic like border searchers and visa vetting, which you apparently know nothing about.

      • TOS has about as much legal strength as a wet paper bag. TOS is a company saying "this is what we want, if you don't do what we want we are taking our toys and you can't play with them anymore". TOS are often in violation of laws, and guess which one wins out in court.

        Laws and federal government action is an armed man putting a gun in your face and saying: "do this or else." All government action is action by force, just consider the final consequence of violating any law and ignoring the consequence of

    • Yep. I could hand over my password. But they'll have a hell of a time getting past the SSO codes (Unless the NSA has cracked that system somehow)

      But I'm going to give the US a pass over the next 4 years. I have nothing to hide, but on a matter of principles I wouldnt give my own govt my passwords, and I sure as hell wouldnt give a foreign govt them.

      • But I'm going to give the US a pass over the next 4 years.

        What makes you think it will get any better after that?

    • For FB, why do they need a password? If they want to check out Mohammed Islam's account, they can just visit his home page and see what he has written. Or even ask to befriend him temporarily so that they can see his private messages as well, and unfriend them once the background check is over.

  • WTF? (Score:5, Interesting)

    by Calydor ( 739835 ) on Wednesday February 08, 2017 @10:13AM (#53825685)

    I can imagine Facebook, Twitter etc. blowing up over this.

    Besides, if they get password access how can they use ANYTHING they find as evidence of anything? They've got WRITE access, for crying out loud! The evidence chain isn't just poisoned, it's rotted right through.

    • Most social websites will have a timestamp of when the post was made or edited. So, government trapping people by writing fake posts may not be a viable option. Or at least we know this, not sure if the bozos running the government do. I think they might even try!

      • I'll wager money on them trying.
        Not necessarily as a program of sorts, but single operators with access because of their position certainly will.

    • Re:WTF? (Score:5, Insightful)

      by squiggleslash ( 241428 ) on Wednesday February 08, 2017 @10:19AM (#53825739) Homepage Journal

      That seems to be the least of the problems. Even if you assume good faith (and you can't... too many stories of individual immigration officers, possibly with the encouragement of higher ups, acting inhumanely towards would-be immigrants), the request doesn't make sense: if I say I don't have a Twitter or Facebook account, are they going to believe me? What are the chances I have one if I live in a part of the world with no Internet?

      And if I do, and I'm actually using my Facebook account to meet up with terrorists, preparing to be the first person ever from any of those seven countries to commit an act of terrorism in the US, what makes you think I'd use the same account for that as I do talking with friends and family? I mean, having one account used for both seems like it'd be asking for trouble. Guess which password you'd end up with...

      What a waste of time and resources, and a completely unnecessary invasion of privacy.

      • Re:WTF? (Score:4, Insightful)

        by Jason Levine ( 196982 ) on Wednesday February 08, 2017 @10:46AM (#53825977) Homepage

        And if I do, and I'm actually using my Facebook account to meet up with terrorists, preparing to be the first person ever from any of those seven countries to commit an act of terrorism in the US, what makes you think I'd use the same account for that as I do talking with friends and family? I mean, having one account used for both seems like it'd be asking for trouble. Guess which password you'd end up with...

        Exactly this. It would take minimal effort for a would-be terrorist to make a "clean" Facebook account. Have it only friend pro-US people and be completely innocuous - not even discussing US politics, but discussing which pop band is the best and the results of "Which Hogwarts House Am I In" quizzes. A clever terrorist organization could even have a whole division dedicated to maintaining these accounts for years before handing them over to the would-be-terrorist. DHS gets the clean Facebook account and doesn't see the secondary account where he's liked every anti-US Facebook post there is. This won't protect us from terrorists (except, maybe extremely stupid ones), will weaken the security of people entering the US, and will lead to abuse.

        • It would take minimal effort for a would-be terrorist to make a "clean" Facebook account.

          Actually I think the amount of effort to do that would drive people to terrorism.

      • Re: (Score:2)

        by houghi ( 78078 )

        Please alsp define "Social media" I do not have Facebook, twitter or similar accounts. Is /. Social Media? Is the webserver with my domain name one, because that is where I put anything I think is important on (It is nothing).
        Is Usernet "Social Media"? What about email?

        • Please alsp define "Social media" I do not have Facebook, twitter or similar accounts

          I assume only Facebook and LinkedIn would help you make a case that you should be admitted.

      • This is the same as any other thing that gives someone access to personal data. Identity theft in just the US costs victims billions a year what stops a disgruntled government employee from using the information found.

      • That seems to be the least of the problems. Even if you assume good faith (and you can't... too many stories of individual immigration officers, possibly with the encouragement of higher ups, acting inhumanely towards would-be immigrants), the request doesn't make sense: if I say I don't have a Twitter or Facebook account, are they going to believe me? What are the chances I have one if I live in a part of the world with no Internet?

        And if I do, and I'm actually using my Facebook account to meet up with terrorists, preparing to be the first person ever from any of those seven countries to commit an act of terrorism in the US, what makes you think I'd use the same account for that as I do talking with friends and family? I mean, having one account used for both seems like it'd be asking for trouble. Guess which password you'd end up with...

        What a waste of time and resources, and a completely unnecessary invasion of privacy.

        For the 7 countries in question, you'd be right: chances are very likely that someone from Sudan, Libya, Somalia or Yemen doesn't have internet

        Also, you're right about the terrorist thing: a terrorist would maintain a personal profile for friends & family, and another for his Ansar al Jihad comrades. And he won't turn over the latter. But one reason for this is undoubtedly San Bernardino, where Tasfeen Malik used her personal page to promote Jihad

      • What a waste of time and resources, and a completely unnecessary invasion of privacy.

        This only applies to the seven banned countries, countries that don't have reliable records.

        If you travel to the US from Europe, the US requests your police, financial, and surveillance records from your home country. In that case, they don't need your social media accounts, because that contains everything from your political affiliations to the terms of endearment you use with your Swedish mistress.

        If you travel to the US

    • Re: (Score:2)

      by Jhon ( 241832 )

      Access to financial records can make sense. The social media thing is just stupid. People will just start using two sets of email and two sets of social media. One set for me -- and one set for Mrs. Grundy to review which has tons of "followings" of cat videos and dog tricks.

    • Re: (Score:2)

      by ugen ( 93902 )

      I don't think there is much respect left for "evidence chain", in particular wrt. non-US-citizens.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      You're so close to realizing this will eventually become mandatory unfettered read-only API calls for the gubmint.

      Better also keep an eye on them for domestic dissidents too. Maybe we can come up with a catchy name for it like COINTELPRO.

    • Re: (Score:3)

      by caseih ( 160668 )

      If they want to vet someone's social media presence, they can already subpoena these predominantly American companies and get this information. But what about someone who has no social media presence at all?

      The feds have been trending in this general direction for years now, with suspensions of constitutional rights at border crossings that started back under Bush and Obama. Unfortunately the new administration is even less respectful of the rule of law.

      You're absolutely right that officials can with thi

    • I can imagine Facebook, Twitter etc. blowing up over this.

      Me too, except "blowing up" in the sense of suddenly having lots of new account signups. I imagine a desk at airports, with public computer everyone uses to sign up for accounts on these websites, in order to have a password to hand over.

      "Uh, yeah, my account is throwaway12345@gmail.com. My password is 12345."

      how can they use ANYTHING they find as evidence of anything?

      This isn't for purposes of finding evidence. It's for theater. Someone got the ide

      • Re: (Score:2)

        by qbast ( 1265706 )

        "Uh, yeah, my account is throwaway12345@gmail.com. My password is 12345."

        Uh, yeah, you are going back on next flight. See you, smarty pants.

    • Re: (Score:2, Funny)

      by Anonymous Coward

      Evidence chain: ancient concept based on the alleged difference between facts and unfacts

    • Re:WTF? (Score:4, Interesting)

      by The-Ixian ( 168184 ) on Wednesday February 08, 2017 @10:53AM (#53826033)

      I think it is fine as long as all other countries ask for traveling American's passwords.

      Just wait for that blow-up

      • I think it is fine as long as all other countries ask for traveling American's passwords.

        Just wait for that blow-up

        Americans following the same rules they expect others to follow? Not a chance!

    • Rules of evidence don't apply in this case unless they try to prosecute you for something. Denial of entry does not require the same standards as criminal prosecution.

    • I can imagine Facebook, Twitter etc. blowing up over this.

      Besides, if they get password access how can they use ANYTHING they find as evidence of anything? They've got WRITE access, for crying out loud! The evidence chain isn't just poisoned, it's rotted right through.

      That's the point I made above - they can see things w/o a password, particularly in FB.

    • Besides, if they get password access how can they use ANYTHING they find as evidence of anything? They've got WRITE access, for crying out loud! The evidence chain isn't just poisoned, it's rotted right through.

      You're not on trial. They are trying to find evidence that's in your favor, not evidence against you. If they don't want to admit you, they don't have to bother planting evidence, they just stamp "denied" on your visa application.

  • What's stopping other countries? (Score:3)

    by gtall ( 79522 ) on Wednesday February 08, 2017 @10:16AM (#53825705)

    Maybe other countries will demand the same thing. I can see el Presidente Tweety giving up his password in the name of security.

  • Next up in 'Murica (Score:3)

    by TimothyHollins ( 4720957 ) on Wednesday February 08, 2017 @10:20AM (#53825747)

    Next up on the hit series "'Murica: Hell yeah!", the orange prez makes a scandalous law - all students are to get daily cavity searches.

    While glove manufacturer stock prices are soaring, Homeland Security Secretary John Kelly tells worried students "If you don't want your rectum searched for contraband, just stay at home.

    God-damn the news are getting entertaining.

  • Uh huh, and then... (Score:3)

    by fahrbot-bot ( 874524 ) on Wednesday February 08, 2017 @10:25AM (#53825795)

    People will just keep real and fake social media accounts. One for real stuff, and one for border control to ogle.

  • Is it to be a requirement to hand over passwords to accounts that don't exist.

    DHS: "Social media logins and passwords, please.
    Victim: "I don't have any social media accounts. I don't want to be Zuck's product"
    DHS: "BS! Everyone has an account! No entry! Cavity search!"

    Or...

    DHS: "Social media logins and passwords, please"
    Victim: "here."
    DHS: "These accounts are brand new, you must be a terrorist! No entry! Cavity search!"

  • The message this sends (Score:3)

    by rossdee ( 243626 ) on Wednesday February 08, 2017 @10:31AM (#53825835)

    USA doesn't want tourists visiting the country
    or business people doing trade deals

    • To be fair that's been the message for a long time. There's few countries I dread visiting, and the USA is one of them. I remember my last business trip clearly.

      "Welcome to the United States of America" it said in the customs area of the airport. I got to stare at that shitty sign for 3 hours as a single customs man took his time individually fingerprinting and questioning the thousand visitors queued up.

      America is a lovely place and the people are lovely and friendly. But I still dread actually clearing c

    • Re: (Score:2)

      by Kohath ( 38547 )

      If there's a security risk, then why should America want that? Because we're going to miss out on all that lucrative trade with Libya and Somalia and Yemen?

      If your country's slogan is "Death to America!" then maybe we can do without your tourist business. Please visit Canada instead.

  • Profit motive will keep us safe (probably) (Score:3)

    by sjbe ( 173966 ) on Wednesday February 08, 2017 @10:35AM (#53825875)

    I'm not surprised DHS is "considering" something like this. Certain gestapo elements in our government always are trying thuggish and ill considered tactics to make their lives easier. This is plainly a stupid and counterproductive idea to anyone with a functioning brain but the danger is real enough. The good news is that the companies affected (Facebook, Twitter, etc) have lots of money and flesh eating lawyers to fight such an over-reach by the government. I don't generally trust Facebook but I do trust their profit motive and DHS forcing people to hand over passwords is a clear and present danger to their bottom line.

  • Read-only password needed (Score:4, Interesting)

    by QuietLagoon ( 813062 ) on Wednesday February 08, 2017 @10:37AM (#53825899)
    If this behavior is permitted, then the social media sites need to start implementing read-only passwords for account. It is one thing to allow the US government to see everything n your account, and all your friend's accounts. It is an entirely different thing to allow the US government to act on your behalf with your account.
    • They can implement POTS (parent over the shoulder) password too. Log in using that password, everything would be seemingly normal, with write access and everything. But only portions that you had declared "safe" using earlier regular full access password sessions would be visible.
  • Sucks to be DHS. My FB password alone is like 255 random characters. What about 2FA systems? They can have the password, but they're not getting the token.

    • Using 2FA authentication won't work to stop them.

      They ALREADY ask you to allow inspection of electronics. If you refuse to give them the password, expect to not get your phone, laptop, or tablet back till you either give them the password or they image the whole thing for NSA's "enhanced decryption".

      • What if you come into the country not planning to visit your social media account and therefor you don't bring and devices with you?

        It is already common practice for travelers to bring blanked out devices with them and then restore them once they are through the checkpoints.

  • I'll just start using 128 character passwords, randomly generated from the non-ascii part of Unicode.
    • Yeah, but will you remember them? I had enough trouble at one of my past employers, where we were required to change passwords every 90 days

  • Just create a fake account (Score:1)

    by Anonymous Coward

    Just create a fake account with a crappy password or tell them you don't have a social network account. If they give you hell, tell them to prove it. If they can prove it, it's your own damn fault for posting about yourself online.

  • This is only if you're coming from one of the seven banned countries.

    • Re: (Score:2)

      by ET3D ( 1169851 )

      Guilty as charged. :) Anyway, it implies that these people could get into the US, which mean no ban. So this is positive news.

  • You are admitted to the US (and other Western nations) only if you can establish with reasonable certainty that you (1) will leave again, and (2) won't cause harm while you're here. If you come from places like Europe, the US uses your police records, surveillance data, credit records, and similar information to make that determination. If you come from places like Somalia or Yemen, reliable records are not available, and the US is trying to use social media profiles as an unofficial substitute. I think tha

    • Actually, the above reason is why the US tried banning (which is currently in the courts) people from these 7 countries. Somalia, Yemen, Libya and Syria don't have reliable records. In fact, w/ Syria, it's tough to expect that the Assad regime, which the US had been trying to topple (not sure if that's still Trump's policy) would want to share anything w/ the US, and even if they did, they can't have records for the eastern half of their country that's run by ISIS. Same goes for Iraq: their government m

      • Actually, the above reason is why the US tried banning (which is currently in the courts) people from these 7 countries

        That's my point: the US government is offering to look at people's social media accounts in lieu of official government records.

        Anyway, the reason they probably want to know their social media activities is that for now, they are forced to let in people from these countries that they can't vet.

        I expect the court order will be overturned quickly. Not admitting people from countries without g

  • Just another reason to not use social media.
    P.S. I don't even remember my FB password, on those rare occasions that I try to use FB from a new device I always have to go through the "forgot your password?" ordeal. But I don't expect border officials to be too sympathetic about that.

  • Asking People To Commit a Felony (Score:3)

    by Kagato ( 116051 ) on Wednesday February 08, 2017 @10:52AM (#53826029)

    Most social networks (like Facebook) expressly forbid sharing passwords or allowing others to use your account. Because that's the policy it becomes a Felony according to the Computer Fraud and Abuse Act (CFAA). The United States Court of Appeals has affirmed sharing accounts contrary to the TOS is a violation of the CFAA and there are people in PRISON as we speak for doing just that.

    I would contend that you cannot be compelled to commit a felony by a agent of the United States. If DHS wants this power they need to have the CFAA amended to grant them an exemption.

  • No social media account? You're a terrorist.

  • That can only be described as fucking stupid. Hell, why don't we make them submit to vivisection? Then we could learn LOTS and be certain they couldn't be a threat afterwards!

    There are many reasons it is stupid but for starters: Most everyone reuses passwords simply so there is some chance that they can actually remember their passwords. So what this amounts to is, "Give us unrestricted access to everything."
    And this coming from one of the least trustworthy things that exists: A government agency...

    If
  • "I don't use social media. I think it's dumb."

    What are they going to do?

  • "No officer, I don't know my password. It is filled in automatically by my password manager, which lives on my laptop which I left at home." And off to jail you go.

  • How many social network identities, if any, I have? This is just plain FUD!

  • I simply won't go to the US unless my job forces me to. I certainly won't spend any tourist dollars there until this bullshit stops.

  • ... if they could just get Trump to hand over his Twitter password.

  • All home security companies allow you to set two passwords, one "All clear" and another one for "Not All clear, someone is forcing me to answer the phone". If you use the second password, the company will politely reply "ok sir/madam, everything is good. thank you", hang up and call the police.

    We can set up such a password, parent over the shoulder, password etc. They will appear to be normal and seemingly function cleanly. But it will expose only parts of the account you had already deemed safe for that

