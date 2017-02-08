US Visitors May Have to Hand Over Social Media Passwords: DHS (nbcnews.com) 98
People who want to visit the United States could be asked to hand over their social-media passwords to officials as part of enhanced security checks, the country's top domestic security chief said. From a report on NBC: Homeland Security Secretary John Kelly told Congress on Tuesday the measure was one of several being considered to vet refugees and visa applicants from seven Muslim-majority countries. "We want to get on their social media, with passwords: What do you do, what do you say?" he told the House Homeland Security Committee. "If they don't want to cooperate then you don't come in."
At least with FB it's against the TOS, and if you sign on from an unfamiliar IP, it would try other challenges to validate your identity.
It's against the TOS for the user to let another access their account via the password. I didn't see anything in there about being on the receiving end. I would say it's implied, but it's not explicit. So security would be effectively forcing the user to violate the agreement with Facebook. Not sure how that plays out legally, but I'm assuming Facebook has every right to terminate their account for complying with the security check.
Here's the clause:
"You will not share your password (or in the case of developers, your secret key), let anyone else access your account, or do anything else that might jeopardize the security of your account.
You will not transfer your account (including any Page or application you administer) to anyone without first getting our written permission."
Because it's against the TOS, it's against the Computer Fraud and Abuse Act. CBP is asking people to commit a felony. The United States Court of Appeals held just last year that sharing password and allowing access contrary to the TOS is a violation. There are people in PRISON right now for commit this crime. I would not recommend doing it and Facebook should make a statement that what DHS is proposing is against the law.
If DHS wants to do this they need to ask congress to add an exemption to the CFAA.
It's also against the 4th amendment:
"The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated..."
I would argue that an on-line account is an effect of a person (actually in both definitions of the word) and the constitution does not exclude non citizens.
Just disgraceful what my country has done to it's charter document.
At the border, any and all "searches and seizures" are considered "reasonable" for purposes of the Fourth Amendment. See Border search exception [wikipedia.org].
Yep. I could hand over my password. But they'll have a hell of a time getting past the SSO codes (Unless the NSA has cracked that system somehow)
But I'm going to give the US a pass over the next 4 years. I have nothing to hide, but on a matter of principles I wouldnt give my own govt my passwords, and I sure as hell wouldnt give a foreign govt them.
Your latter point is right on. But one implication of this - if a person claims that he doesn't have a social media profile, and later on, it turns out that at the time of questioning, he actually did, that would be a reason to scrutinize him further. Of course, if he created one after coming to the US, it would be another story. But the main point is to make sure that anyone w/ a social media profile is looked at, so that you wouldn't have more Tasfeen Maliks.
I recently opened a new facebook profile
WTF? (Score:5, Interesting)
I can imagine Facebook, Twitter etc. blowing up over this.
Besides, if they get password access how can they use ANYTHING they find as evidence of anything? They've got WRITE access, for crying out loud! The evidence chain isn't just poisoned, it's rotted right through.
Most social websites will have a timestamp of when the post was made or edited. So, government trapping people by writing fake posts may not be a viable option. Or at least we know this, not sure if the bozos running the government do. I think they might even try!
I'll wager money on them trying.
Not necessarily as a program of sorts, but single operators with access because of their position certainly will.
Re:WTF? (Score:5, Insightful)
That seems to be the least of the problems. Even if you assume good faith (and you can't... too many stories of individual immigration officers, possibly with the encouragement of higher ups, acting inhumanely towards would-be immigrants), the request doesn't make sense: if I say I don't have a Twitter or Facebook account, are they going to believe me? What are the chances I have one if I live in a part of the world with no Internet?
And if I do, and I'm actually using my Facebook account to meet up with terrorists, preparing to be the first person ever from any of those seven countries to commit an act of terrorism in the US, what makes you think I'd use the same account for that as I do talking with friends and family? I mean, having one account used for both seems like it'd be asking for trouble. Guess which password you'd end up with...
What a waste of time and resources, and a completely unnecessary invasion of privacy.
Re:WTF? (Score:4, Insightful)
Exactly this. It would take minimal effort for a would-be terrorist to make a "clean" Facebook account. Have it only friend pro-US people and be completely innocuous - not even discussing US politics, but discussing which pop band is the best and the results of "Which Hogwarts House Am I In" quizzes. A clever terrorist organization could even have a whole division dedicated to maintaining these accounts for years before handing them over to the would-be-terrorist. DHS gets the clean Facebook account and doesn't see the secondary account where he's liked every anti-US Facebook post there is. This won't protect us from terrorists (except, maybe extremely stupid ones), will weaken the security of people entering the US, and will lead to abuse.
Please alsp define "Social media" I do not have Facebook, twitter or similar accounts. Is
/. Social Media? Is the webserver with my domain name one, because that is where I put anything I think is important on (It is nothing).
Is Usernet "Social Media"? What about email?
This is the same as any other thing that gives someone access to personal data. Identity theft in just the US costs victims billions a year what stops a disgruntled government employee from using the information found.
That seems to be the least of the problems. Even if you assume good faith (and you can't... too many stories of individual immigration officers, possibly with the encouragement of higher ups, acting inhumanely towards would-be immigrants), the request doesn't make sense: if I say I don't have a Twitter or Facebook account, are they going to believe me? What are the chances I have one if I live in a part of the world with no Internet?
And if I do, and I'm actually using my Facebook account to meet up with terrorists, preparing to be the first person ever from any of those seven countries to commit an act of terrorism in the US, what makes you think I'd use the same account for that as I do talking with friends and family? I mean, having one account used for both seems like it'd be asking for trouble. Guess which password you'd end up with...
What a waste of time and resources, and a completely unnecessary invasion of privacy.
For the 7 countries in question, you'd be right: chances are very likely that someone from Sudan, Libya, Somalia or Yemen doesn't have internet
Also, you're right about the terrorist thing: a terrorist would maintain a personal profile for friends & family, and another for his Ansar al Jihad comrades. And he won't turn over the latter. But one reason for this is undoubtedly San Bernardino, where Tasfeen Malik used her personal page to promote Jihad
Access to financial records can make sense. The social media thing is just stupid. People will just start using two sets of email and two sets of social media. One set for me -- and one set for Mrs. Grundy to review which has tons of "followings" of cat videos and dog tricks.
I don't think there is much respect left for "evidence chain", in particular wrt. non-US-citizens.
You're so close to realizing this will eventually become mandatory unfettered read-only API calls for the gubmint.
Better also keep an eye on them for domestic dissidents too. Maybe we can come up with a catchy name for it like COINTELPRO.
Re: (Score:3)
If they want to vet someone's social media presence, they can already subpoena these predominantly American companies and get this information. But what about someone who has no social media presence at all?
The feds have been trending in this general direction for years now, with suspensions of constitutional rights at border crossings that started back under Bush and Obama. Unfortunately the new administration is even less respectful of the rule of law.
You're absolutely right that officials can with this
Me too, except "blowing up" in the sense of suddenly having lots of new account signups. I imagine a desk at airports, with public computer everyone uses to sign up for accounts on these websites, in order to have a password to hand over.
"Uh, yeah, my account is throwaway12345@gmail.com. My password is 12345."
This isn't for purposes of finding evidence. It's for theater. Someone got the idea
"Uh, yeah, my account is throwaway12345@gmail.com. My password is 12345."
Uh, yeah, you are going back on next flight. See you, smarty pants.
Yeah, but most people don't have their Twitter handles tattooed on their foreheads. (Neither do I, it was just the most over-the-top thing I could think of.)
So, a visitor to the U.S. would still have to tell the government stooge their Twitter handle and password. The point being, if they just turned over a Twitter handle, how does the government stooge prove that it's that visitor's Twitter account? Clearly, if you know the password, that goes a long way towards proving that.
Except, what's keeping someone
Evidence chain: ancient concept based on the alleged difference between facts and unfacts
Re:WTF? (Score:4, Interesting)
I think it is fine as long as all other countries ask for traveling American's passwords.
Just wait for that blow-up
I can imagine Facebook, Twitter etc. blowing up over this.
Besides, if they get password access how can they use ANYTHING they find as evidence of anything? They've got WRITE access, for crying out loud! The evidence chain isn't just poisoned, it's rotted right through.
That's the point I made above - they can see things w/o a password, particularly in FB.
What's stopping other countries? (Score:3)
Maybe other countries will demand the same thing. I can see el Presidente Tweety giving up his password in the name of security.
Its simple, more and more people are now avoiding the USA.
If I need to fly to Europe from New Zealand I now go through Hong Kong or one of the other non-us routes. This is now the preferred method for all staff as the risks of IT devices (computers/phones/etc) being compromised at the US boarder is now considered too high.
There is also a growing preference for equipment from the EU as any training will be outside of the US too.
The US is slowly but surely shitting in its own nest.
I know personally, for family
Other countries do. In particular Canadian border officials have a habit of asking the same thing. In the US however CPB is actually asking people to commit a Felony.
Re: (Score:3)
I would love to see this happen.
Just wait for the entitled Americans to cry to their government reps about how they are being treated like garbage.
Um... TFA said "We want to get on their social media, with passwords".
What you suggest will not allow them to "get on their social media". It's the same as telling them to go pound sand.
Enjoy paying 10 cents to your carrier to receive an SMS every time you log in.
Simple - you tell the visa applicant to give the DHS the real accounts and not the benign ones, otherwise they aren't allowed in.
Seriously though, I haven't logged onto my facebook account for about 18 months now - so that could flag up as being fake. That is if they could find it - I had the security settings locked down so that I can't even find it knowing my name and username.
Next up in 'Murica (Score:3)
Next up on the hit series "'Murica: Hell yeah!", the orange prez makes a scandalous law - all students are to get daily cavity searches.
While glove manufacturer stock prices are soaring, Homeland Security Secretary John Kelly tells worried students "If you don't want your rectum searched for contraband, just stay at home.
God-damn the news are getting entertaining.
TGFO?
What about 2FA?
What if you don't know your password (password manager)?
What if you don't have a social media account?
All perfectly valid non-edge cases.
Uh huh, and then... (Score:3)
People will just keep real and fake social media accounts. One for real stuff, and one for border control to ogle.
So if I don't have any social media accounts? (Score:1)
Is it to be a requirement to hand over passwords to accounts that don't exist.
DHS: "Social media logins and passwords, please.
Victim: "I don't have any social media accounts. I don't want to be Zuck's product"
DHS: "BS! Everyone has an account! No entry! Cavity search!"
Or...
DHS: "Social media logins and passwords, please"
Victim: "here."
DHS: "These accounts are brand new, you must be a terrorist! No entry! Cavity search!"
Re: If you want to come to my country... (Score:3)
The message this sends (Score:3)
USA doesn't want tourists visiting the country
or business people doing trade deals
Profit motive will keep us safe (probably) (Score:2)
I'm not surprised DHS is "considering" something like this. Certain gestapo elements in our government always are trying thuggish and ill considered tactics to make their lives easier. This is plainly a stupid and counterproductive idea to anyone with a functioning brain but the danger is real enough. The good news is that the companies affected (Facebook, Twitter, etc) have lots of money and flesh eating lawyers to fight such an over-reach by the government. I don't generally trust Facebook but I do tr
Could President Trump pass this test? (Score:1)
This screening requires judgment to figure out who the person coming in is.
Sorting between a friendly, harmless wacko and a risky one is not always easy.
If the DHS didn't know they were screening the President, I wonder how the test would turn out.
Read-only password needed (Score:4, Interesting)
I don't even know my passwords (Score:2)
Using 2FA authentication won't work to stop them.
They ALREADY ask you to allow inspection of electronics. If you refuse to give them the password, expect to not get your phone, laptop, or tablet back till you either give them the password or they image the whole thing for NSA's "enhanced decryption".
What if you come into the country not planning to visit your social media account and therefor you don't bring and devices with you?
It is already common practice for travelers to bring blanked out devices with them and then restore them once they are through the checkpoints.
No problem (Score:1)
Just create a fake account (Score:1)
Just create a fake account with a crappy password or tell them you don't have a social network account. If they give you hell, tell them to prove it. If they can prove it, it's your own damn fault for posting about yourself online.
Nobody read the article (Score:2)
This is only if you're coming from one of the seven banned countries.
Guilty as charged.
:) Anyway, it implies that these people could get into the US, which mean no ban. So this is positive news.
not such a good idea (Score:1)
You are admitted to the US (and other Western nations) only if you can establish with reasonable certainty that you (1) will leave again, and (2) won't cause harm while you're here. If you come from places like Europe, the US uses your police records, surveillance data, credit records, and similar information to make that determination. If you come from places like Somalia or Yemen, reliable records are not available, and the US is trying to use social media profiles as an unofficial substitute. I think tha
Oh, well (Score:2)
P.S. I don't even remember my FB password, on those rare occasions that I try to use FB from a new device I always have to go through the "forgot your password?" ordeal. But I don't expect border officials to be too sympathetic about that.
Asking People To Commit a Felony (Score:2)
Most social networks (like Facebook) expressly forbid sharing passwords or allowing others to use your account. Because that's the policy it becomes a Felony according to the Computer Fraud and Abuse Act (CFAA). The United States Court of Appeals has affirmed sharing accounts contrary to the TOS is a violation of the CFAA and there are people in PRISON as we speak for doing just that.
I would contend that you cannot be compelled to commit a felony by a agent of the United States. If DHS wants this power they
Slashdot readers predicted this last year (Score:2)
No social media account? You're a terrorist.
From the geniuses at DHS... (Score:2)
There are many reasons it is stupid but for starters: Most everyone reuses passwords simply so there is some chance that they can actually remember their passwords. So what this amounts to is, "Give us unrestricted access to everything."
And this coming from one of the least trustworthy things that exists: A government agency...
If
Simple solution... (Score:1)
What are they going to do?
Thanks, password manager (Score:2)
"No officer, I don't know my password. It is filled in automatically by my password manager, which lives on my laptop which I left at home." And off to jail you go.
How do they know (Score:2)