Homeland Security Details New Tools For Extracting Device Data at US Borders (cnet.com) 113
Travelers heading to the US have many reasons to be cautious about their devices when it comes to privacy. A report released Thursday from the Department of Homeland Security provides even more cause for concern about how much data border patrol agents can pull from your phones and computers. From a report: In a Privacy Impact Assessment dated July 30, the DHS detailed its US Border Patrol Digital Forensics program, specifically for its development of tools to collect data from electronic devices. For years, DHS and border agents were allowed to search devices without a warrant, until a court found the practice unconstitutional in November 2019. In 2018, the agency searched more than 33,000 devices, compared to 30,200 searches in 2017 and just 4,764 searches in 2015. Civil rights advocates have argued against this kind of surveillance, saying it violates people's privacy rights.
The report highlights the DHS' capabilities, and shows that agents can create an exact copy of data on devices when travelers cross the border. According to the DHS, extracted data from devices can include: Contacts, call logs/details, IP addresses used by the device, calendar events, GPS locations used by the device, emails, social media information, cell site information, phone numbers, videos and pictures, account information (user names and aliases), text/chat messages, financial accounts and transactions, location history, browser bookmarks, notes, network information, and tasks list. The policy to retain this data for 75 years still remains, according to the report.
The report highlights the DHS' capabilities, and shows that agents can create an exact copy of data on devices when travelers cross the border. According to the DHS, extracted data from devices can include: Contacts, call logs/details, IP addresses used by the device, calendar events, GPS locations used by the device, emails, social media information, cell site information, phone numbers, videos and pictures, account information (user names and aliases), text/chat messages, financial accounts and transactions, location history, browser bookmarks, notes, network information, and tasks list. The policy to retain this data for 75 years still remains, according to the report.
No DB is permanently secure (Score:5, Insightful)
When Border Patrol leaks everyone is going to be in a world of hurt.
Re: (Score:3)
When Border Patrol leaks everyone is going to be in a world of hurt.
Naah, only the urinals.
Re: (Score:2)
orangemanbad
Are you referring to that managed baron?
Re: (Score:1)
#orangemandoubleplusgood
Not another bunch of incompetents with data (Score:5, Insightful)
Great.... another bunch of incompetents with large amounts of data, I can't wait for the DHS Leak torrent. Wikipedia better buy some bigger harddrives.
Re: Not another bunch of incompetents with data (Score:5, Insightful)
It gets worse and worse the more you think about it. Anyone with access to that data can probably make a fortune just from untraceable insider trading. Anyone includes ex-DHS employees.
Every cartel in the world would want it to track down possible leaks and cops. Every intelligence organization to figure out what's going on and who might be an operative. Even if it is just by someone NOT having data in it there is an indication of useful information.
Re: Not another bunch of incompetents with data (Score:4, Interesting)
Re: (Score:3)
Perhaps most are not so bright, but it only takes a handful of smart ones. The data only has to leak from one person.
Re: (Score:2)
The intelligent criminals already have this data, and more, from their underlings in the security services.
Re: (Score:2)
That's some serious confirmation bias you have there.
Remember, these are the ones who have been dumb enough to have been caught.
Re: (Score:2)
Re: (Score:3)
The criminals at the NSA and CIA don't even have to wait for the leak.
which is while I leave a high voltage USB killer (Score:1, Interesting)
in my suitcase.
Re: (Score:2)
Some of DHS's tools access data in RAM.
So it is a good idea to power-off your phone and laptop before going through customs.
Re: (Score:3)
It's a good idea to wipe your devices and then restore them from an encrypted backup over a VPN.
That's what I always do. Drive image, secure wipe, restore at destination.
Re: (Score:2)
Re:Not another bunch of incompetents with data (Score:5, Insightful)
Great.... another bunch of incompetents with large amounts of data, I can't wait for the DHS Leak torrent. Wikipedia better buy some bigger harddrives.
Yeah. Plus the angle that they're taking a copy of data which they don't own. I do not grant the US government license to read, store, transfer, or otherwise contact my data. So this is "piracy".
Then there's the joyous third-party data. I may be carrying data that I am entitled to access but am not legally entitled to share with any other party. Copying a phone/laptop violates those license agreements. By doing this, the US government may be violating the rights of data-owners who are US companies or citizens. And when that database gets hacked, they're responsible for uploading that third-party data.
There just isn't a scenario where this is okay.
Re:Not another bunch of incompetents with data (Score:5, Informative)
Technically, it's buccaneering, because those perpetrating the act are sanctioned by the government. It's only piracy when it's not sanctioned by the government.
Re:Not another bunch of incompetents with data (Score:5, Funny)
Re: (Score:1)
Yeah. Plus the angle that they're taking a copy of data which they don't own. I do not grant the US government license to read, store, transfer, or otherwise contact my data. So this is "piracy".
actually you do give them that license, it is part of the conditions of crossing the border.
Re: (Score:2)
Even though the courts have found it unconstitutional?
Re: (Score:2)
Re: (Score:2)
While I agree that the constitution and most other laws restraining the federal government have proven to be easily ignored and toothless, the assertion I was replying to was that:
actually you do give them that license, it is part of the conditions of crossing the border.
If they're just doing it to you against the actual law, then it's not part of the conditions of crossing the border and you're not giving them that license, they're just taking it. Arguing otherwise is like saying that you give license to roving bandits to break into your home and rob and murder you by living in a house.
Re: (Score:1)
Re: (Score:2)
Charity workers have had this issue when entering the UK. Laptops with confidential data, legally protected in various jurisdictions including the UK.
The UK border is a somewhat lawless place, normal rights and rules get trampled on. I've never been to the US but I hear it's similar.
Re: (Score:3)
The UK border is a somewhat lawless place, normal rights and rules get trampled on. I've never been to the US but I hear it's similar.
It is. And not only is it the literal border that's like this, but they can fuck with you within 100 miles of any border, which includes ocean coastlines. That means that the vast majority of people living in the USA are subject to arguably unconstitutional search and seizure all the time.
Re: (Score:2)
And, as I understand it, any airport which accepts international flights. (Or has accepted in the past, or has said it might accept international flights at some indeterminate point in the future, as part of expansion plans ; that area I'm unclear on.)
The last figures I saw were that something like 90% of the US population lives at risk of the Border Police, an
They aren't incompetent - they are stable geniuses (Score:3)
These are government employees, ergo they aren't incompetent. They are, by the fact that they took low-paying government jobs, inherently smarter than you and more capable of making all kinds of decisions about your life.
How dare you suggest that government workers and bureaucrats aren't automatically elite - they are, and should be put in charge of EVERYTHING, every part of your life.
Please tune in to MSNBC so they can explain to you why the people working for the federal government are so much smarter th
Re: (Score:2)
Re: (Score:2)
"No, your Honour, I didn't upload the music tracks with the watermark containing my unique ID in question to the pirate site, as you put it. I did however travel to the US last summer and my phone was copied by the DHS. Perhaps their database was hacked and that person put the tracks up on the site. I have noticed that some of my personal details have become available. I've asked DHS about it but they refused to say."
This is not enough (Score:3)
The border patrol agents should be allowed to execute a Vulcan mind melt, completely bypassing the electronic devices. That's the only certain way the DHS can figure out the real purpose of the traveler's visit.
Re:This is not enough (Score:4, Interesting)
Wouldn't it be easier to just shoot everybody at the border instead of melting their minds?
Re:This is not enough (Score:4, Informative)
Do not carry device across international boundaries. YOU are a foreigner, no rights apply to you and you are fucking stupid if you do not think they install software permanently to track when they download your privacy with no charge and no warrant. Buy then at a phone place not far from your port of call, prepaid, cheap and if you lose it meh. Leave you primary device at home when travelling overseas, when they ask for it, say no and tell them if they ask for the password, you will also refuse. If you want you data from you phone when overseas, load it onto you ISPs storage encrypted and download it at the location and then decrypt it. When leaving, delete all contents on the phone and sell it.
Re: (Score:2)
Solution:
Create a bootable SD card, and insert it into a hacked chromebook. (After hacking the chromebook, insert solder on the write protect screw hole to permanently set rom write protect.)
Produce a read-only filesystem image that fills the whole card. (We are aiming for the equal of WORM media here. The system will be a live DVD style image.) Set up a repeating DD operation that just continually writes that image onto the card over and over and over again, until the write protection circuitry inside the
Re: (Score:2)
I wouldn't buy a phone from somewhere near the airport, could easily be pre-bugged.
Re: (Score:2)
Re: (Score:2)
Borders are non-trustworthy zones. (Score:5, Insightful)
If I travel to the US I take a phone and/or laptop with minimal apps or info. Anything I need beyond that can be accessed remotely from my destination with much greater security.
Re: (Score:2)
Why not? That's what I do when I travel to other countries.
Re: (Score:3)
Don't get me wrong, it is not just the US.
All borders are non-trustworthy zones. Even my own (Canada) is sketchy in this regard.
Re: (Score:2)
''If I travel to the US I take a phone and/or laptop with minimal apps or info''
Even better, even as a citizen I never return home with a device that's not completely wiped. I've never had anything but a ''welcome home'' greeting from border control, but it's trivial to restore my mobile device to the state it was before I wiped it. As a citizen I would refuse to answer any questions about my personal accounts, or my travel activity. Other than providing non-specific information, the words am I under arrest
Re: (Score:3)
Here in Canada our courts have generally held that even non-citizens are protected by our Charter of Rights while they are in this country. I don't believe that to be the case in the US, but perhaps someone can correct me if I am wrong.
Re: (Score:2)
OK good to know. Thanks for that.
Re: (Score:2)
Oh someone with "minimal" data on their device? Smells like a terrorist to me!
Re: (Score:2)
Oh someone with "minimal" data on their device? Smells like a terrorist to me!
Some people travel only for the cavity searches. Who are we to judge their kink?
Re: Borders are non-trustworthy zones. (Score:2)
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
These Capabilities Are Far From New (Score:2)
how? (Score:1)
Comment removed (Score:4, Funny)
"DHS and border agents were allowed ... (Score:5, Insightful)
Bullshit. Not having a warrant makes it a 4th amendment violation before and after the ruling.
SCOTUS has said that executive agency policies, rules and regulations are the equivalent of laws. Ergo, they should have to be voted on by Congress before ALLOWED.
Congress of the United States, being vested with "all legislative powers" by Article One, Section 1 of the United States Constitution, ALL! What part of ALL does Congress and the Executive not understand?
Re: (Score:3, Informative)
Bullshit. Not having a warrant makes it a 4th amendment violation before and after the ruling.
And they ignore it with virtual impunity.
https://www.aclu.org/other/con... [aclu.org]
Re: (Score:2)
While I agree with you on the fourth amendment violation, you are wrong on executive agency policy. They are "equivalent" to laws in that they have the force of law. That in no way means they should be voted on by congress, because they are still not laws. That would put WAY too much power in the hands of congress.
Re: (Score:2)
While I agree with you on the fourth amendment violation, you are wrong on executive agency policy. They are "equivalent" to laws in that they have the force of law. That in no way means they should be voted on by congress, because they are still not laws. That would put WAY too much power in the hands of congress.
All the force of law with even less accountability. What is not to like? /s
Re:"DHS and border agents were allowed ... (Score:4, Interesting)
The word "warrant" never appears.
As for executive agency rules, those are interpretations of congressional rules. And congress changes the rules from time to time. But passing a law like "the area where endangered bald eagles live shall not be polluted by X, Y or Z" and letting some executive agency employees update that map annually seems better than congress hearing from that same expert and voting to update the map.
Re: (Score:2)
Bullshit. Not having a warrant makes it a 4th amendment violation before and after the ruling.
What's a 4th amendment and how does it apply to a constitution free zone?
Re: (Score:2)
The US Constitution does not recognize constitution free zones. That's a government invention.
Re: (Score:2)
The US Constitution does not recognize constitution free zones. That's a government invention.
That should tell you everything you need to know about that 250 year old paper you think protects you.
When business travel was still a thing... (Score:5, Interesting)
Thanks to Sars-CoV-2 the inconveniences of such business travel are now a thing of the past, and will likely not restart even when that pandemic is over.
Never travel with your phone (Score:2)
80% of the time they do not work in another country anyway.
Just buy a throw away that actually WORKS in the country you are going to.
Re: (Score:2)
Is that you Stallman? I thought you didn't have a phone because they're tracking you and anyway it wouldn't be working because of all the tinfoil hat.
Also this thing with the phone not working in other countries is valid only for some weird CDMA providers, if you have a GSM (and above) phone it'll work everywhere (including the US). Maybe not all frequencies everywhere but usually you won't be able to tell, "it just works".
Re: (Score:2)
If you buy your phone unlocked or pay it off, then it works fine with a local SIM in other countries. For US providers, Sprint and T-Mobile both have standard, included unlimited international roaming for free. It's very slow, but it works for messaging and light usage.
You're better of just actually powering off your phone and laptop when entering another countries. They should be encrypted at rest (hopefully your laptop uses full disk encryption), so there's nothing useful they can copy off. In the US at l
border control (Score:2, Informative)
Re: (Score:2)
SSD memory is super easy to restore. If you care about keeping your data private, I wouldn't recommend it.
Re: (Score:3)
On the contrary, SSDs are HARDER to recover than normal hard drives because they'll have TRIM, the OS needs to tell the drive what it doesn't need anymore (for performance reasons). Once it does that the data is pretty much gone, as opposed to sitting there on a normal hard drive until it's overwritten (it can be years until the space is needed). Of course the process isn't guaranteed and depended on a ton of wear leveling algorithms but in any case it's MUCH different from a hard drive where the data just
Re: (Score:2)
You can take advantage of self encryption on laptops as well. Many have Window's implementation, Bitlocker, enabled by default anyway, but an alternative is sedutil. You can stick it on a bootable USB drive to enter the password at boot.
There are advantages and disadvantages. On the plus side border agents are clueless about it and you can show them your "blank" laptop that only gets as far as a "no bootable disk found" prompt. Tell them you wiped it and will restore it at other other end, because you are w
Re: (Score:2)
Sure, you can use encryption (it's another discussion about if you can be forced to provide the key) but the point I was making was that a factory reset phone is not "super easy to restore" as the storage is encrypted and the keys were wiped (and probably will get wiped the second time when somebody unlocks the bootloader to be able to access the raw block device).
Re: (Score:2, Interesting)
Re: (Score:2)
That's a LOT of effort for the average person unless you really have something you're trying to hide. Basically no one will do it otherwise. Just power off your phone and set an actual password on it instead of a 4 digit PIN. The data is encrypted at rest, and the US courts have ruled that they can't force you to give your password.
What about the other extreme? (Score:2)
Re:What about the other extreme? (Score:4, Interesting)
Bringing multiple devices with gb of junk would be also very impractical to scan
They will just bill you for the time or lock you up for obstruction. Also, enjoy your spot on the "terrorist" watchlist.
Re: (Score:2)
They won't bill or detain most people. they will simply keep the hardware for inspection.
Re: (Score:2)
Well, yes. But do you want to risk it?
Land of the Free(ish) (Score:2)
If we started calling it "Heimatschutz" would you feel the same way?
I thought you lived in the Home of the Free.
Re: (Score:1)
I thought you lived in the Home of the Free.
No, but we do have everyday low prices. What else is there?
They are not allowed to do this anymore, right? (Score:3)
Re: (Score:3)
You mistake them for people who give a fuck about what they are allowed to do.
ok so tell me where this fails... (Score:2)
User takes hard drive out of laptop
User FedEx's the hard drive to himself inside the country
User crosses the border
User receives hard drive, reinserts into laptop
Alternately:
User sends data to cloud service.
User scrubs hard drive
User goes over border
User restore from cloud
So these border tactics -- are they only for stupid criminals?
Re: (Score:2)
So these border tactics -- are they only for stupid criminals?
Yes. Also a warning to foreigners in general to stay away.
Re: (Score:2)
So these border tactics -- are they only for stupid criminals?
Yes. Also a warning to foreigners in general to stay away.
But not foreigners who are actually bringing in contraband information. Child porn, for instance. Because shipping it across the border or electronic transfer is absurdly easy. So I'm still not sure what these rules accomplish.
Re: (Score:2)
Any package traveling across borders is subject to inspection and/or seizure but whatever nation's customs that package traverses. Its not likely to get analyzed, but neither are devices carried across the border. The way this article suggests is that ALL electronic devices are scanned/imaged. I'd bet its less than 0.0001% for the US.
Re: (Score:2)
---long sanitization process---
It is much less hassle to go somewhere else and skip the Soviet Union of America.
Travel phone (Score:3)
Who would take their regular phone over the border (Score:2)
I just don't understand taking a regular phone on a trip. Want all those contacts? Email them or something. Want THEM to have all those contacts? Drag them thru the border on your phone.
Re: (Score:2)
You may rest assured, if I travel with a phone, I want them to copy that data.
Remember the story of the Trojan horse? There's a reason a particular kind of malware got that moniker. No attack is as powerful as an inside job.
Re: (Score:2)
Something like 80% of Canadians live at less than 100km of the border, it is easy and common to take your car to go to the USA for shopping, camping, hiking, etc. Some Canadians even work in USA and cross border every day, opposite is true too.
Virtualize phone/laptop (Score:3, Interesting)
The solution is to virtualize your phone/laptop. Run a hypervisor on the bare metal and perform your work in a VM. Before you leave the country, upload the VM to the cloud and remove it from your device. Do the reverse when you get to your destination. This is already doable on laptops. Less so I think on phones but I would be surprised if the hardware wasn't able to make it technically feasible.
Re: (Score:2)
If they happen to do a forensic clone of the storage they'd have deleted data or traces of data in the OS.
I mention this because that type of cloning is exactly what the UK Border Force (formerly UKBA) has been doing at UK transport hubs.
Limited time (Score:2)
No worries, they only keep the data for a limited time of 75 years.
Any middle aged geek crossing the border with his iPhone, iPad and Macbook, should be pushing up daisies by then.
Going to the US is like going to Iran (or Israel, (Score:2)
You think there is sometbing wrong if they do NOT fist your anus and put terrorist plans and child porn on your devices if you complain when abused. ;)
Luckily, we don't need to travel there. Ever.
I only feel bad for those that have to live there.
This is gonna be good (Score:2)
Well, not for 2020. But as soon as security conferences become a reality again and Antivirus-researchers travel with live samples of current threats again, and these dimwits copy and execute those, this is gonna get colorful and funny.
Large SD card (Score:2)
Instead of a backup, you could create a bootable SD card.
Re: (Score:2)
Bigger Haystack (Score:2)
If you expect to be copied at the border, bring a device with as little personal info as needed... but make sure to have the largest HD installed you can spare and FILL IT with tons of junk. mild porn jpg, videos, pdfs, spam email archives (from testing data), maybe make a randomize script to multiply the files... another script to go touch every file on the system. One could use any AI text generating software to make up never ending spam files. Do keep in mind you'll have to wait while they copy it so
at US Borders (Score:3)
Leave your phone at home (Score:1)
Border Patrol can do this away from Borders (Score:2)
The Border Patrol is allowed to do this, without warrant, to any person within *100 miles* (160 km) of a land or sea border. You know, where most of the population lives.