>Wright refused, telling the officer both devices contained confidential information protected by solicitor-client privilege.
>He said the officer then confiscated his phone and laptop, and told him the items would be sent to a government lab which would try to crack his passwords and search his files.
Can this be used to get whatever case(es) he was defending thrown out because solicitor-client privilege was violated or parallel construction was used?
This and related edge cases are something that I've always wondered about e.g. where compliance would be illegal. There are a number of scenarios where one can have content on devices that it is expressly illegal to disclose to random border police. Even within a single country, there is a conflict of authority here.
Encrypt the data (probably easiest way is to use encrypted 7z archive), memorize the password, upload the encrypted data into any cloud storage (e.g. Google Drive) and don't care about disclosing anything on your devices.
For work data such as the lawyer in the article I would recommend go one step further and not having the password in the first place. You can achieve this by for example having the server admin at work remotely unlock the device at request, have hardware tokens at trusted locations, or software that provide similar effect. No amount of $5 wrench or legal threats can change the situation as it not in your hand to give them access, and you can helpfully give the path forward for the officers to follow. Even better if you have a written company policy with you which spells out that employees don't have capability to unlock devices during travel.
For confidential work data, unless there is a reason it needs to be used disconnected from the internet, it would be better if it was simply never on the laptop at all. The workplace could just use virtual desktops that never leave the company’s IT infrastructure, but are remotely logged on to from whatever device users need to work from.
How 5 dollar wrench won't work in this case? Isn't administrator going to follow his order, so he can made to call the administrator and reset keys etc..?
The value of the trick is just in pushing access control outside the situation.
Border services generally have extensive but constrained powers - in the US, they're limited in how far from a border they can exercise authority. So they don't get to arrest the administrator directly, or go and confiscate an access key sitting in Edmonton. They can still demand that whoever is at the border arrange for unlocking, and can probably seize the device if they're refused. But the threat "we'll lock you up until you open the device" is potentially legal, while "we'll lock you up because as a hostage until somebody else opens this" has far less merit. (Obviously, none of this applies if you go someplace where actual hostage takings might happen.)
If the administrator says "I need physical access to unlock that" or "our firm's policy says I can only open devices once they're at one of our offices being used for billable hours", there's no one handy to apply the wrench to. At that point, confiscate-and-image is as much access as anyone can hope to get.
This assumes you can get the wrench close enough to the admin. If they are in another country, one that is outside of your jurisdiction you'll have a hard time applying your wrench.
The usefulness of this "trick" relies on not having the _data_.
They aren't going to hit me with a wrench for the decryption password to a cloud-stored blob that's not on the device (and ideally, one they don't know about. Remember the password and the location of the data. Remember to secure-delete it from your device though. There should be an easy "prep for border crossing" checklist that includes this.)
Like, leave a private key at home and encrypt your drive with the public key before crossing the border? Yeah, at that point you are powerless to do anything until you are at home.
But what's the difference? The end result is the same: your device(s) are confiscated and they attempt to brute force the password. Telling an officer that you cannot give them the password because you did some techno-mumbo-jumbo is just going to piss them off and make them assume you have "something to hide" because "no honest person would go to those lengths".
Yes. This thread is full of people proposing inventive technical solutions to genuinely prohibit your own access to the device while you're going through customs, as if border patrol a) knows the difference and b) gives a damn. These are all functionally equivalent to "Um, I forgot my password." (Or, if you wish for a more plausible but equally ineffective excuse, "This is actually my mother's laptop; I'm bringing it to her and I don't know the password.")
If an LEO (claims to) need access to something and you give him a dead end, it's his job to assume you're lying and find the next legal option available to him.
The real question you should be asking yourselves isn't "How would you outsmart the caveman cop in this situation?" Rather, it's "What can/will you do, as a citizen, to resist the erosion of our civil liberties?" Sadly, I have no easy answers here.
> it's his job to assume you're lying and find the next legal option available to him.
Not sure where you live, but in the US it's actually his first and foremost responsibility to uphold a constitution that says that people are free from unreasonable searches and seizures.
Well, in a country with a for-profit, for-"performance" law enforcement system, where prosecutors are paid by how many people they put in jail and cops are paid by how many traffic tickets they write, do you really think some paper from 1787 is going to have much influence on a TSA agent if their paycheck depends on sorting out as many "bad guys" as possible?
The Canadian constitution (specifically the part of it called the Charter of Rights and Freedoms) guarantees the same right, however, constitutional rights in Canada are granted only up to "reasonable limits". Those limits are determined by the Supreme Court.
You're right. I missed an important part of the comment I was replying to: you need to say something about "company policy" or "company lawyers", now you're playing in the both the social and technical realm.
Nothing justifies an honest person going to great lengths to do some weird thing quite like "company policy".
Nothing makes officers think twice like the mention of lawyers backed by Apple / Google levels of money.
This only works if you trust egress border crossing more than ingress. Otherwise you might as well not bring your laptop along in the first place as it'd be an encrypted deadweight.
This action can be flagged as suspicious as well, triggering a deeper investigation into the traveler.
It's not always feasible, but the most secure way to protect clients'/employers' data is to encrypt the laptop and phone and ship to your destination via standard shipping services, then ship them back the same way before leaving for home. Carry a well used but non-critical burner laptop ($50 Chromebook off Craigslist) and/or phone ($20 Walmart smartphone) with you that won't wreck your world if it's confiscated and searched. If it is seized, take your receipt and go on about your business. When you get to your destination your actual devices will be waiting for you. You can safely forget about the burner devices.
Your advice to mail ahead your secure computer is not good. Mailed electronics are just as susceptible to search, if not more so, as what you keep with you.
I think the reality we have to grapple with, regardless of rights violated, is that if you want to cross a nation border, it's best to assume that all nations involved will end up with a copy of all the data (hopefully encrypted) you move across that border. In the face of that scenario, how do we proceed?
Unless you are under an active investigation, the chances of your mailed laptop or phone being intercepted and searched are far, far less than if they are on your person at the border.
Still, if you are paranoid enough you can mitigate the danger of your data falling into unsecured hands (at the border or by mail intercept) by using an encrypted shadow volume:
> the chances of your mailed laptop or phone being intercepted and searched are far, far less than if they are on your person at the border
Isn't "mailing a laptop" now counted as sending dangerous goods, due to the battery?[0]
If so, the chances of it being subject to interception and/or search might well be far higher than someone just carrying a laptop in hand luggage across an international border.
I've just had a look on my favourite parcel shipping site and found this wording in their terms:
> RESTRICTED ITEMS
The following items are deemed unsuitable for shipment by our services, and are therefore restricted. Any of these items being sent may result in surcharges, delays or confiscation by authorities where appropriate. No damage cover is available with these items:
> [a long list of stuff, including laptops]
So, who here would be happy to ship their laptop internationally without damage cover?
It's much easier for a policeman to demand the password to decrypt data when he has you in custody at customs than when it is searched by the mailman.
You're confusing "not perfect" with "not good". There's an old saying: when outrunning a bear, you don't have to be the fastest guy, you just have to be faster than the slowest guy.
> It's much easier for a policeman to demand the password to decrypt data when he has you in custody at customs than when it is searched by the mailman.
is that really true? I would expect that they can just perform hardware tampering when you're not present when searching in mailed items, but given that customs might use racial profiling to target you at airport, you may be better off mailing the computer securely, such as using tamper-proof or tamper-evident stickers/bags.
Dragnet demanding your password at the border is something we know they do - there are loads of witnesses saying they were asked for passwords at borders. Dragnet hardware tampering of electronics in the mail is not something we know they do.
I've only seen two articles claiming evidence of physical tampering - like a hoax about Dell from 2005 [1] and Bloomberg's dodgy story about spy chips from last year [2] - neither of which seems truthy, and neither of which involved mail interdiction.
(Of course, it's widely suspected mailed hardware can be tampered with, but most of the claims/speculation I've read has been about targeted tampering, not dragnet)
>I would expect that they can just perform hardware tampering when you're not present
On what legal authority?
The border search exemption is about searching, not tampering.
The issue is more that border agents are taking advantage of a law written before the age of computers to use powers the founders probably never intended.
I seriously doubt that there's any legal basis to bug a computer just because it was shipped internationally.
So if the threat model is being asked for your password, not being present when the device crosses is a good mitigation.
(If you've done enough bad things they government is targeting you specifically, YMMV)
> Unless you are under an active investigation, the chances of your mailed laptop or phone being intercepted and searched are far, far less than if they are on your person at the border.
Inbound international mail is also subject to search by customs, that doesn't just happen to stuff the owner carries across the border.
> most secure way ... encrypt the laptop and phone and ship to your destination via standard shipping services
Absolutely not. Any time your hardware is physically out of your control is a time when someone could install a hardware keylogger or replace your ethernet card with one that exfiltrates data or whatever.
The most secure option is to travel with an encrypted hdd/phone on you with no way to decrypt them, and separately acquire the private key (e.g. via shipping a secure hardware token which is made to be tamper resistant to a trusted friend at your destination).
If the devices leave your control for more than a few minutes, consider the hardware compromised and never unlock them again.
Laptops simply are not made to be highly resistant to an attacker with physical access, whereas hardware keys are, so it's not a good idea to ship them.
If you do ship them, you'll have to do a physical examination for suspicious hardware at your destination, (as you presumably did when you first received them if you're that paranoid), and it's damn hard to find a good lab for that in some countries.
Your advice is good as a way that's secure for most people's threat models, but it is a far cry from being the most secure solution, and I'd argue it's much less secure than simply carrying them with you.
Carry a computer with encrypted data but don't use it; remove the hard drive to copy the data to another computer in order to decrypt the data with the separate key. Discard the old hard drive and old computer afterward.
Do not use a single key; require several keys that are with different people, combined only in the way that you know how. Ensure the people are present to notice if the police try to come in.
By paraphrasing my comment as you did, you avoided the point I was making. What I proposed is the easiest and most secure way for a normal traveler not already under suspicion to avoid losing/exposing potential client and employer data to a foreign government during a border confiscation. By no means is it 100% foolproof and I never claimed it was. As I said elsewhere in the thread, if you're already the subject of an investigation your mailed package will be intercepted, but that's an entirely different conversation.
In short, the scope of my comment was avoiding a border seizure during travel, not 100% securing your devices from being compromised, which is an impossible goal short of just not using any devices, period.
>This action can be flagged as suspicious as well, triggering a deeper investigation into the traveler.
Whenever I travel internationally on business and need a laptop, I'm required by company policy to bring a laptop freshly wiped by IT instead of my normal laptop.
Or just set up a rental service for overseas computing. Good thing about non-programmers is they don’t need three days to get 300 pieces of software installed and configured on a new machine.
The problem here is knowing where all the files are. Are you sure you could list all the places eg ms word stores cached copies of your document? And that you’d be able to overwrite the data from copies that have since been unlinked from the filesystem?
Encryption is a better solution, always. It’s easier to forget a passphrase and render the key useless, especially if you’re using a SSD where the controller has no obligation to actually overwrite a cell that you’re trying to shred.
My understanding is that shred hasn't been reliable for many years now due to smarter and less predictable firmware in modern storage devices. Basically, you can't trust that your SSD deleted the data it said it did, or that it writes data to the place you told it.
So far as I know, wiping free space is a feature that has been available for many years in free utility suites and even recovery software (CCleaner, etc). I believe it's also directly available in Windows' Disk Cleanup utility; on Linux you call just use dd to fill the disk. This isn't as secure as a multiple wipe, but it can also be done multiple times; on Linux you can alternately use tr or some such to tell dd to write ones instead of /dev/zero.
Wiping free space doesn’t wipe the original location of a remapped sector. AFAIK, nothing will short of low level format, which you can’t do these days.
I'm not sure if it's feature of all modern SSD or Samsung ones, but I know that those SSD use AES internally for all data (not for encryption specifically, but because they need random bits for better storage and encryption is just a bonus). User usually does not deal with it, as it's handled in firmware, but BIOS have the option to securely erase the disk which just generates new key instantly and then, obviously, it's not possible to recover any data from old sectors.
Discover that your password has ended up in a swap file one day and hasn't been overwritten, and chrome left you logged into Google drive. I wouldn't trust this approach not to fail by accident.
Let the computer you used for encryption and uploading at home.. Take an empty/new notebook/smartphone with you to show at the border?
edit: place a big random data file, which looks like encrypted data on your alibi notebook. Refuse to give password and let the government lab try to find the password..
> Let the computer you used for encryption and uploading at home.. Take an empty/new notebook/smartphone with you to show at the border?
This is certainly safer, though maybe not possible on the return trip (where you're returning from someplace where you only have access to your laptop). If you need to be this careful, maybe it's best to do your work after livebooting into tails or something like that.
> edit: place a big random data file, which looks like encrypted data on your alibi notebook. Refuse to give password and let the government lab try to find the password..
Am realizing that not so long ago, saying that entering a democratic nation was riskyer if, just a few seconds before customs, you had entered in a command line:
head -c 1000000000 /dev/urandom | openssl enc -aes-256-cbc -a > risky.1Giga.file
would have been considered tin-foil-hatty, and now we're just getting use to it
> don't care about disclosing anything on your devices.
I'm not sure this is good advice. I think it's almost certainly better to have an unblemished record of assertion than a mixed record of assertion and acquiescence. Surely the latter appears far more suspicious.
I don't know about the US, but here in The Netherlands the technical cops are aware of cold boot attack. As a lawyer crossing a border you should use a device with a secure enclave, and have the device off. Or better: don't cross the border with your device.
Wouldn't it just make more sense to keep all the data encrypted on a cloud service and not travel with any of the data physically? One step further would be to not travel with any devices at all, and just purchase something after crossing the border.
That’s the idea behind 1password’s travel mode. Ostensibly you could do that for an entire device, but the easier you make it for yourself, the easier it is to write legislation saying you have to undo what you did. (Depends on the various jurisdictional constitutionalities of that kind of provision, but still.)
Rather than an encrypted archive, would an encrypted, hidden partition not work better? Anything sensitive goes on there, have it unmounted and invisible, leave the rest of the system as is let 'em login and search what they see.
Unless that disk had a low-level factory wipe afterward, some amount of that data will still be on the disk somewhere, and law enforcement has all the tools needed to recover it.
This post is about western countries. The vast majority of western countries will not literally torture you to death, in order to get rando citizen's phone passwords.
Encryption works great for this usecase, that almost everyone in this thread will be using it for.
People being tortured for their personal phone password by a rando border guard in basically any country, just isn't something that happens, despite what the internet memes would lead you to believe.
Even in supposedly bad countries, I really doubt that this "attack vector" is something that happens frequently.
How long can you be detained? And under what conditions? More than a few hours will get the vast majority of people cooperating. I suspect they could detain you for 24 hours, or even several days, but I don't know what the legal limit is for detaining a citizen at the border of their own country.
And for quite a lot of other people, even not being personally detained, but having to acquire new devices is inconvenient enough to compel cooperation. Who wants to buy new devices? Who has a need for two sets? It'd only be a cost of business for someone who does a decent amount of traveling and has confidential information to protect.
But then, that's a trap too because why should people need a reason? Why are only people with business/legal confidential information a protected class?
> How long can you be detained? And under what conditions
The answer is not very long. I'd call "a couple days" to be not a big deal, and not at all equivalent to being tortured to death, like the person I was responding to was implying would happen.
So yes, encryption does work, and all that will happen to you is that you could be moderately inconvenienced.
But even that I would expect to be rare. Most border security would just look at your computer, or whatever, not find anything on it (because the thing you show them just looks like an empty computer), and move on their way.
The narrative that I was responding to was this idea that technology solutions can always be bypassed, by torture or something, therefore technology solutions are worthless. And that's just not true.
An extremely effective technology solutions to an incompetent border guard that is interrogating you is for all your devices to just appear like there isn't anything on them, like a new factory default computer that you just bought.
A guard will just look at that, not see anything, and then move on to the rest of his crappy job.
> . Say 5 hour detention then they ask again. Then detention again. Repeat.
Ok, and does this happen in real life?
The answer is no. It does not. In almost any western country in the world, the low paid border security guards are not detaining people in mass for days on end.
This stuff just isn't really happening to any large degree.
The example you gave was of someone who was suspected of murder.
The amount of people who are in the population of "people suspected of murder, and are jailed for not giving up their password", is a very small population size.
So as long as the government makes a pinky promise to never use their power elsewhere it's okay? Think at least a little about the future. They might be doing it now for a good cause, but how long is that going to last? There's nothing stopping them from jailing anybody who refuses to give up their password, because what's jailable is the act of not giving up your password.
> So as long as the government makes a pinky promise to never use their power elsewhere it's okay?
I never made any claims about what is or it is not OK.
The only claim that I am making is that this whole "XKCD wrench meme" is dumb, and that encryption actually works really well for the vast majority of people in the vast majority of usecases.
That's all. Encryption works, and you are not going to be tortured, or locked up forever, because you refused the order of a low paid border guard.
Such situations are extremely rare, and it is annoying that people keep bringing them up when they basically don't happen to anyone.
the parent isn't saying to encrypt your drives, they're saying to encrypt your data and store it separately from your computer - essentially treat any devices you're carrying across the border as compromised before you even reach the border.
If I'm understanding vbezhenar correctly, the implied step after uploading the encrypted file to a cloud storage service is to securely delete it from the computer you're carrying. Then, the authorities won't know that there is anything to beat out of you with their $5 wrench.
Yeah, but you still get beat with the $5 wrench. And if it was going to work in compelling you to give the password, it will still be pretty effective getting you to provide access to the cloud storage and the encryption password to it.
A couple of people would get beaten with the wrench the first few times it happened, but after a few weeks and a few high profile cases from Fortune 500 employees of "my CIO is the only one with the key", they'd move on to other targets or other methods.
I'm not saying any of this is likely. But, as the topic was raised, if they break you and you start talking, you will volunteer the information. They don't need to know before hand.
That said, the most practical scenario here is to keep your important files secured somewhere else, cloud or elsewhere, and when they ask you to unlock your phone or laptop you say "Sure!" Because there's nothing to find and you're compliant and helpful so they quickly let you go after a proforma search.
Yeah, there is no James Bond outside the books and screen. But thermorectal cryptanalysis is out there and still beats most of cyphers with ease. And it's not letal!
But it will not work if you do not know the password. (It can also be time locked with false data; they don't know whether or not it is the real data.)
If someone is travelling from country X through country Y with documents destined for country Z, and the government of X wants the documents to reach Z unobserved, this is the usual use-case for a government-of-X diplomatic pouch. (Or, if it’s the Z embassy sending to Z, a government-of-Z diplomatic pouch.)
I wonder if you could make the case here that the US government should be ensuring the functioning of its judicial system by issuing lawyers who leave the country a “loopback” diplomatic pouch—one issued by X, destined for X, protected during travels to all not-X.
(This could currently be achieved by X-gov issuing a pouch destined for X-embassy in transit country Y, which the traveller must visit to have their documents re-wrapped in a pouch from X-embassy back to X-gov. The change would just simplify things by making the visit to X-embassy unnecessary.)
Broadly speaking, I agree with you, but, FYI, diplomatic status is not just for "diplomats." US government lawyers travel on diplomatic passports for official business (eg depositions in other countries). And all lawyers are "officers of the court" and can be, for example, forced to take random cases pro bono if some judge goes a little kooky and demands it. So it's not as far-fetched as it might sound to give all lawyers diplomatic passports for travel.
Could he be censured for failing to secure information about clients? IANAL, but I'm pretty sure that over-sharing about clients can be a poor career move.
And what if this had been a US lawyer, who was representing someone who'd received a US NSL? Would he have violated the NSL? Who would the US go after, him or Canada Border Services?
> Could he be censured for failing to secure information about clients?
If this were a US attorney at a US border, almost certainly not. ABA rules permit attorneys to disclose client information (among other reasons) "to comply with other law or a court order."
Even as far as a US attorney receiving orders from another country, or a blatantly illegal instruction within the US, they should be alright. The lawyer didn't actually disclose client information, they just lost control of it. The ABA only requires "reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information" about clients. Offering up the password might not have been a reasonable effort, especially in the absence of consequences for refusing, but having the device imaged and cracked seems to clearly exceed reasonable efforts to prevent unauthorized access.
As for NSLs, what a mess. I'm not sure anyone can answer this for you. They already push the established bounds of compelled speech, so general precedent wouldn't be a trustworthy guide. And any NSL-specific precedent was almost certainly set in closed, confidential hearings, so the people only people familiar with it wouldn't be able to discuss it.
In theory, any ruling in any Common Law country could be cited as precedent in any other Common Law country.
As the US has the 4th amendment, most US search-and-seizure cases rest on it. If anyone were ever so bold as to argue a positive right to privacy for all humans--rather than the weaker but easier to prove prohibition against US governments committing privacy-violating acts--and the case was decided on it, that case could be used as precedent everywhere.
Judges are generally careful about not doing that, for obvious reasons. If a lawyer tried to make the case about a right to privacy, the judge might decide the outcome of the case base on that, but the opinion would certainly say that the litigant won or lost because of some other reason.
Statutory law is generally robust enough that judges can almost always decide based on it rather than on discovered law. So it's not that Canadian courts couldn't accept American precedent, it's just that American courts make special efforts to not set any Common Law precedent that a Canadian court can use. If it ever happens, it's likely to be in civil equity cases between two or more non-government parties.
Sometimes when there is a lack of local jurisprudence, courts will look at other jurisdictions for guidance. But it’s more common for a colony to do that when the motherland has more case law.
In British practice my understanding is that it would be A v. R.; the website of the Supreme Court has judgements the form R. v. A and A v. Her Majesty The Queen. Whence your usage?
There are various linguistic constructions you can use for plausible deniability (e.g. "at home I can just pay a fee to get into a different priority group: do you have the same system here? I think I have enough cash to cover it.")
I actually once did pay a speeding ticket to an arresting officer (in Montana or Wyoming or one of the Dakotas IIRC -- it was decades ago) an it was very clear how the officer handled it that he was not pocketing the money (e.g. he held an envelope I placed the check into, I licked and sealed it, and his boy never came in contact with my check, though cash was also an option).
Maybe set up a VM on AWS and bring a new laptop over the border. Or leave your laptop at home and VM into it. Or ship your laptop to where ever you're staying and bring a burner phone over the border. Doesn't seem like a difficult problem to solve.
> Can this be used to get whatever case(es) he was defending thrown out
Along the same lines a case could be made for legal malpractice if it was reasonable for the attorney to know that there could be a search (and it is he is an attorney and the assumption is he is familiar with the law). It is similar to putting his phone unlocked in a car and the phone or the car is stolen. There is a reasonable expectation that the attorney will safeguard client materials (is what I would argue). (Paper files in the office and not giving the proper protection the same).
Bottom line is the fact that he is an attorney does not magically in itself also mean he doesn't have to take prudent steps to prevent the release of information (with regards to malpractice).
Unlike the stolen phone, in this case it would be the same entity that's stealing confidential data, and holding him responsible for the data getting stolen - the government.
>> Can this be used to get whatever case(es) he was defending thrown out because solicitor-client privilege was violated or parallel construction was used?
That isn't what this is about. Nobody is talking about what this is really about and it isn't anything to do with him being a lawyer. This guy (1) was traveling alone (2) to a distant (3) and poor (4) country without preexisting business ties (5). Those are all red flags for sex tourism.
I cannot say this strongly enough: I would never say this guy is a sex tourist, nor would boarder services. But they do run a program that targets people who meet certain criteria, criteria that this guy seems to have fallen into. Most famously, a bishop returning from Thailand had his laptop "randomly" searched by this program. (https://en.wikipedia.org/wiki/Raymond_Lahey) There have been other less-pubic successes too. The program is controversial but within the bounds of Canadian law.
So before everyone goes nuts about terrorism and attorney-client privilege, realize that this innocent person was caught up in a program that has nothing to do with those things. Canadians are polite, especially when dealing with sensitive matters. Canadian cops don't shout things from rooftops. Because of the nature of what they are looking for, boarder services isn't going to give any public explanations. They will hold the electronics for some time, as is their right, but they likely regret "randomly" selecting this particular person. In the future they will probably add "not a lawyer" to the criteria.
Guatemala is well known as a drug transport point. Plenty of the politicians there were caught being directly involved. Which, along with other contraband, accounts for the majority of the customs actual work and far more likely to be the concern with any traveller from there:
Still, it's no excuse to search Canadian citizen's phones or laptops. Either find probable cause (ie, some actual evidence which indicates a crime besides abstract "red flags" about travelling which could apply to thousands of innocent people) and get a warrant or don't do it. Otherwise it's open for tons of abuse and unnecessary invasions of privacy.
Don't use american definitions of "probably cause". Canada is a different country and defines probably cause very differently. Canada has a different relationship with its boarders than America. The physical scale is are different.
Sovereignty is different. Canada's "charter rights" are different than american "constitutional" rights. Canada placed greater trust in individual enforcement officers and, generally, doesn't play the legal dances that are common in the US in relation to searches. Canadian boarder services agents may have greater power than their US counterparts but they are still a billion times easier to deal with than that TSA. Ask canadians if they want to adopt US-style rules and plenty would say no on principal alone.
Notice that this guy is now free and able to tell his story. He wasn't detained in handcuffs for days. He wasn't transported to a remote jail for interrogation. He wasn't charged with some trumped-up excuse to hold him. He wasn't subjected to a body cavity search. He wasn't added to some terror list. There is no allegation of racism. They seem to have politely explained the situation and let him on his way. Canada does things differently.
[edited for clarity, for those who require simple literality].
Probable cause is a core part of the Canadian charter:
> 3) based on reasonable and probable grounds to believe that an offence has been committed and there is evidence to be found at the place to be search.
Yes, both countries have a concept of probable cause, but they have different definitions of what constitutes it—of which only a little is what is spelled out in the charter/amendment; most of the effective criteria come from case law.
In other words, just because this kind of profiling wouldn’t constitute probable cause in the US, doesn’t mean that it doesn’t constitute probable cause in Canada. (I’m not sure that it does constitute probable cause in Canada; I just don’t know for sure that it doesn’t.)
As a Canadian, I would say “not really”. Plenty of examples of people’s rights being violated by Canadian officials. Those events don’t get the scrutiny that US events do, but they certainly happen.
I don't think he was specifically referring to the american or canadian or australian or <insert country X here> definition of probable cause, but rather the concept itself.
I don't know why you're trying to make a point about Canada vs US and how one is better than the other. Just because he's free to tell his story and wasn't prosecuted doesn't mean that the CBS is off the hook for seizing upon his electronic devices - without reason - and even threatening that they would be sent to a lab to be cracked.
I'm neither an American or Canadian citizen, but when I do travel to these countries I would expect that my privacy not be breached, especially not without reason and when I've already cooperated and consented to my bags and other personal items to be searched.
Now the next time you travel, and the CBS or US CBP decides to seize your devices, are you going to just surrender your devices, given that they've explained everything nicely and will let you go on your way?
> Canadian boarder services agents may have greater power than their US counterparts but they are still a billion times easier to deal with than that TSA
I think you mean US Customs and Border Protection, not the TSA.
In most parts of the world, sex workers don't exactly have strong human rights protections. In a poor country, it's generally worse.
A relatively wealthy, privileged person going someplace poor for sex is probably doing it because it facilitates doing rather nasty things in a way that is comfortable for them. They don't need to be ugly about it. Someone else will be ugly about it on their behalf while making them feel great about spreading their money around.
This often means they are raping children or otherwise indulging sexual predilections too unseemly for sex workers in more well-heeled parts of the world.
So sex tourism is generally understood to be a polite term for exceedingly depraved behavior with a veneer of civility.
Are you saying that single men who travel to Thailand specifically to have easy access to prostitutes are often in it for the child sex and degrading sex acts? Isn't that like saying people that go to mosques are often terrorists? Sorry if I'm misinterpreting your comment, but as worded it sounds like you believe the majority of sex tourists are pedophiles. In my experience, having spent several years in Thailand, most of them are there to have lots of consensual sex with adult sex workers because there is no legal prostitution where they live. The notion that more than a fraction of a percent of them are kiddy fiddlers is pretty out there. I also disagree with your claim that the term sex tourism is used as a euphemism for sexual exploitation. I've never heard it used that way, at least. A sex tourist is someone who travels to a location for the express purpose of having sex with prostitutes.
This. Anyone who thinks they are targeting people visiting Amsterdam's red light district, or Nevada's bunny ranch, needs to read more. This is about people seeking underage sex in countries where it is more accessible than in Canada. Thailand, Vietnam, all of south america ... a single male with no family ties, returning alone from such countries should expect some attention at the Canadian boarder. They are looking for the pictures, the possession of which is a serious crime in Canada.
Not in my case. I'm for the decriminalization of sex work, among other things. I'm just against raping children and generally mistreating poor people because you think you can get away with it.
Keep it among genuinely consenting adults, and I don't care how many, what genders are involved, how you folks agree to get your freak on and yadda.
Terrorism, children, drugs, or sex; all excuses used for attacking individual liberty. Let's get real here, stuff like this is about control, not about security, and certainly Nota about morality...
That's just how politicians package it so the people swallow the poison pill.
That said, I feel like people vastly overestimate the similarity of governments of the US and the UKs vassal states like Canada, and that false expectation is part of why people get outraged. Once one understands this the authoritarian approach of the "Commonwealth" nations things make much more sense.
I answered a question about what is so bad about sex tourism and also responded to accusations that being against child rape amounts to puritanism.
If you want to narrowly define Puritanism as against child rape, okay, I will proudly accept that label.
Beyond that, I think you are barking up the wrong tree. I'm not here to discuss politics. I have very little to do with politics. If you think explaining the term sex tourism is some sort of political agenda, agreeing with a particular policy, etc, you are reading in a whole boat load of stuff that isn't there.
I'm a private citizen, not a politician. I'm engaging in discussion on a forum. That's the extent of that.
Please don't post flamebait like this again. It's flamebait because it's both inflammatory and unsubstantive. It's like spending your last dollar to buy spoiled milk.
> Terrorism, children, drugs, or sex; all excuses used for attacking individual liberty.
You've provided no basis for this claim.
> Let's get real here, stuff like this is about control, not about security, and certainly Nota about morality...
You've provided no basis for this claim.
> That's just how politicians package it so the people swallow the poison pill.
I take this as an expression rather than a claim, but still it doesn't teach us anything.
You haven't tied your point about sovereignty to the topic of discussion, and when commenters don't do that we get taken off into generic tangents.
This is not about holding controversial opinions. It's about failing to meet the standards of discourse here, and meeting them is a rather mechanical thing which all commenters are capable of.
> A relatively wealthy, privileged person going someplace poor for sex is probably doing it because it facilitates doing rather nasty things in a way that is comfortable for them
Or simply because it's easier because prostitution is not (as) criminal and/or it's well organised (e.g. red light zones), and not forgetting it's likely to be much cheaper. To assume their choice of destination for something as nasty as raping children is quite a jump.
I've gone back and reread my initial comment. It has plenty of qualifiers. I think it is adequately clear and stands on its own just fine, without further clarification.
I have no idea why you are nit picking this. I'm not going to discuss it further with you.
It was a sincere question. You say you've read up on this. I haven't, though I have lived in Thailand and travelled around the region, and from my personal experience (not as a consumer, but I don't need to be a smoker to have some idea (anecdotally) of the level of smoking around me) the vast majority of foreign men that were consumers were not involved in anything to do with children or any such thing.
Hence, I was interested in actual data. That's all. Enjoy the rest of your day.
You may think I mean straight up pedopholia involving elementary school aged children. That can happen certainly.
But a 17 year old is legally still a child in many jurisdictions. A lot of men in their twenties see nothing wrong with getting involved with a 17 year old.
If you are talking a dating situation, my views on that get a lot more complicated. If you are talking prostitution, a 17 year old sex worker is highly unlikely to be there by choice.
At that point, it is, in fact, child rape, even if you aren't comfortable with the terminology and wish nicer language were used to describe it.
I don't feel compelled to try make it sound nicer given how damaging it can be to the child in question.
Statutory rape doesn't have to be violent. The minor may even have nominally agreed. But the law says they can't actually meaningfully consent as a minor.
If they are a minor and a sex worker, they are likely being trafficked. That's where this gets really nasty. The guy paying for the service may be blissfully oblivious to just how much she is being pressured, has no real choice, etc.
I covered that in my original comment. That's a large part of why this is an ugly thing.
You (the general "you", not you in specific) hand wave away that she's 17 instead of 18 because it's only a few months and he may not have actually known her age etc.
It's a slippery slope that basically says if you can fudge on enough "little" details, it's totes fine to rape children. Traveling to a foreign country for your cheap sex is a very handy way to gloss over those details and pretend it was all above board and nice when it probably wasn't.
How about we avoid that slippery slope entirely, by using a very expansive definition lumps in sex with anyone under 21 as going in the 'depraved or otherwise a problem' category.
Now will you please consider giving some data or some kind of percentage or explain why you said "probably"?
No one is trying to claim this kind of horrible behavior doesn't exist. But I want to understand the scale of the problem. Trying to figure out if it's 10% or 90% is not nitpicking!
Thailand’s Health System Research Institute reports that children in prostitution make up 40% of prostitutes in Thailand. In Cambodia, it has been estimated that about a third of all prostitutes are under 18.
The reference on Wikipedia is from a report[1] by the "UNITED NATIONS INTERREGIONAL CRIME AND JUSTICE RESEARCH INSTITUTE", which is a "desk review" that cites and reviews other research. The quote Wikipedia uses is from a paragraph on page 18:
> Thailand’s Health System Research Institute reports that children in prostitution make up 40 percent of sex workers in Thailand.
I can't find this report even though I've been using the HSRI's own searchable database[2] and search engines (you'll need Google Translate unless you can read Thai). I did, however, see see numerous other reports reusing the same quote in the searches returned by an engine, so it's well used.
If we continue the same paragraph:
> At the other end of this debate many NGOs estimate the number of CSEC victims to be in the hundreds of thousands. Other reports estimate the number of child victims of prostitution to be at least 80,000 but likely to be in the hundreds of thousands (ECPAT International; The Protection Project, 2002: 539).
I can't find any Protection Project report about Thailand in their publications[3], nor do they include Thailand in their list of country reports[4]. I also cannot be sure that either of the reports[5][6] I found on ECPAT's site are the one cited. The larger one, which was published in 2011 (but is the 2nd edition so perhaps it is from 2002) does not include the figure. It does however have this:
> Prostitution is technically illegal in Thailand, but sexual services are sold openly with an estimated 60,000 children under age 18 involved in prostitution.15
This is note 15:
> U.S. Department of State, 2009 Country Report on Human Rights Practice, Thailand. Accessed on 13 July 2010 from: http://www.state.gov/g/drl/rls/ hrrpt/2009/index.htm
This is the statement in the report[7]:
> In 2007 the government, university researchers, and NGOs estimated that there were as many as 60,000 prostitutes under age 18.
No note for that one, it's a dead end.
This doesn't mean the figure is wrong, of course, but it does support the idea that people should be able to question figures, and when challenged, claims should be backed up by something better that circular references, missing reports, and dead ends.
It's nice that you made the clear distinction with the general "you" but it'd be good if you worked a bit harder to cut out the other insinuations. For example:
> At that point, it is, in fact, child rape, even if you aren't comfortable with the terminology and wish nicer language were used to describe it.
- Where did I say or imply that it wasn't child rape?
- Where did I say or imply I wasn't comfortable with that terminology?
- Where did I say or imply I was wishing nicer language were used to describe it?
I'm not sure how you hope to have an adult discussion on a sensitive topic if you're going to insinuate that asking you a question is tantamount to defending child rape.
I for my part have tried to find out more from someone who says they know more. I'm reading the research from one of the Wikipedia references you gave and questioning some of my assumptions while trying to remain sceptical and clear headed enough to analyse it.
> I don't feel compelled to try make it sound nicer given how damaging it can be to the child in question.
I think it's unlikely that most people in this discussion are condoning or defending this behaviour (or maybe they are but they should still get a chance to give their point and be challenged). Since we know most people will say they're for the protection of children wouldn't it be better to take them at their word, play the numbers and realise the majority here will be the same, and, if not tone down the description, tone down the attitude?
The fact that some adult sex workers are also victims in no way makes child sex trafficking somehow more acceptable or justifiable to me.
From what I have read, even sex workers generally agree that most adult sex workers "made a choice" if they remain in the life and "it's different if they are underaged."
Among other things, I've read a few biographies by sex workers.
I would love to see sex work generally see an improved track record of human rights protections. In developed countries, child labor is generally deemed to be a bad thing, even when the work in question isn't inherently exploitative.
I stand by "raping children is a bad thing" and "underaged sex workers are victims of child rape."
Really? I think you know. I'm not going to spell it out.
Edit: fine. I guess some people here need the talk. This is about the phenomena of men traveling from rich countries to poor countries to engage in sex with children. Not this guy, but it does happen. These men often return with digital images stored on laptops and cellphones. Possession of such images is illegal in canada and so Canadian boarder services targets men who fit the profile of a potential "sex tourist". The term is a polite euphemism for a darker profile, not a literal reference to having sex while being a tourist.
That's not a useful reply. People travel to countries where prostitution is legal for that purpose, and so someone who doesn't necessarily know the extra connotations that phrase carries for you.
I for one did not immediately equate sex tourism with child slavery or pedophilia until I saw your sibling comment.
They may be referring to the legal aspect, that it does not mean they are a criminal. It is more of a rightly so frowned upon moral issue, but legally is usually okay.
I think you’re thinking of sex trafficking. The John being a tourist is orthogonal to the prostitute being a victim of trafficking. Many sex tourists visit Germany, for example, where prostitution is a safe, unionized profession.
Police generally have access to full-automatic machine guns. They’re not limited to the semi-automatic models sometimes available to civilians (e.g. in the US).
US cops. Canadian cops dont carry full auto often, and when they do it is never used. It goes against rcmp training. I cannot think of any canadian examples of cops using full auto.
I have asked this question before, but never really got a satisfiable answer: why do governments (not just USA/canada) spend these resources to check data physically at a border?
It's not like you need to 'smuggle' any form of data physically.
I mean, any data considered to be dangerous (like terrorist attack plans, atomic bomb designs or political inside information) can be accessed across borders via the internet. You don't need to have those on any of your devices.
And even if you had the data on a laptop, how does border patrol even know what they are looking at?
There is actually a Canadian Border Patrol TV show you can watch, and they don't even try and hide that they do this. They very openly show when they check someones phone and laptop. I have seen it on the show, and they have shown them "catching" people. They'll usually use it to check if people are intending to stay and work in Canada, such as seeing in their texts or emails that they were arranging work and/or places to live.
They have shown this very thing on the show where they found on their device that they were making these arrangements. It seemed very invasive and disturbing. They got their password and were looking at their phone and laptop in a backroom. The traveller didn't even get to see what they are doing or anything.
I don't have anything to hide, but I would never feel comfortable with ANYONE having free reign over my unlocked devices, especially not a government border agent doing it behind closed doors.
Even if I agreed with customs officers rifling through my devices, I would only ever want them to have read-only access.
Like, you'd hope they're not malicious, but can you really trust some in-a-hurry agent with little to no training in this area to not accidently wipe half your hard drive?
It's often just security theatre meant to please the law & order voter base more than anything else. They might catch some minor criminals but as you said, if you really want to "move" data across a border, there are plenty of ways to do so without physically carrying a device.
For some goals it can actually be useful, though I'm not sure if this is done during regular border checks or just in the context of asylum requests or similar: Accessing location histories, picture metadata or social media profiles on your device can be a fairly easy way to check that you're not giving them false information about where you're coming from or where you've been. This can be done automatically, so the officer doesn't need to figure out themself what they're looking at.
I had my laptop searched at the border once. It was my work laptop. They told me the same thing, if I didn't share the password they would confiscate my computer.
It felt wrong that they should be able to search my computer, but I also felt bullied because I was going to need my computer the next day if I wanted to work and I think most people, including my boss at the time, would not see a problem with the search, so I let them search.
All they did was open up Windows Explorer and do a search for *.jpg. Then she looked up at me and said, "What kind of images am I going to find on your computer today?"
I don't remember what I said, but basically it took about 30 minutes for Windows to display all the results. She looked through them all and then I was free to go. I got the impression that they were looking for child pornography, but I don't know that for sure.
Either way, it was a pretty innocuous search, but this was also about 10 years ago. From what I understand, they now pull all the files off your computer and index the contents. They likely have a list of keywords that it searches against immediately and then it's indexed for when they add more keywords later.
When I was working for $Big$Corp, I was explicitly instructed to 1) always shut down the devices with full-disk encryption 2) never give up passwords 3) surrender devices without opposition or bargaining (cooperate) and 4) call company lawyers as soon as possible
Never have faced any search, but interesting stance there.
In particular, a perfectly reasonable answer to the question "what am I going to find on this computer?" might be "Naked pictures of me/my spouse" if it's a non-work laptop.
It's extremely invasive for some random civil servant to execute an unexpected search on a device that most reasonable people assume is private.
As far as searching my work laptop, it was not harmful or offensive to me. It was strictly used for work purposes and there was truly nothing on the computer that they could do any harm with (to me or the company).
That said, under nearly any other context, I agree that it would be harmful and offensive.
Why do you think they did this kind of invasive search? It's very weird to me that border patrol would randomly search all the images on someone's computer. This doesn't even seem like an efficient way to catch criminals. Power trip?
No joke, I was sent to secondary search because I was holding a piece of cake in a go box from my lunch that I hadn't eaten and I didn't declare the piece of cake (technically, they are correct, I should have declared the slice of cake). Once you go to secondary search, they search all your stuff, including your computer. They didn't search the cake for some reason though.
Maybe just "a randomized search". Sounds very inefficient.
I think they are just looking for crimes like drug mules, people coming to work with tourist visa etc. Everyone here talks about nuclear plans but I doubt.. probably bully too but against simple minded criminals it can work. Texts of arranging work or when is the package going to arrive etc.
Right, but parent comment said they just searched all images (or jpgs). Hard to think of any motivation beyond finding child pornography, no? But that doesn't seem like something you'd reasonably become suspicious of during a short interaction.
It saddens me that we think of federal governments as benign protectors of our rights. The States did not need and did not want a federal government. We feared they couldn't protect our interests. We had to be persuaded through the Bill of Rights to accept their "protection." The feds have some idealistic people within their organizations, but their stance is to utilize state-level resources for their own needs, such as international warfare wealth accumulation. This includes domination of individuals. We have only our states and the Bill of Rights to protects us from the feds.
Computers represent a very real threat to federal power. People could use them to rise up against federal governments and make their lives very uncomfortable, which is to say, much like our own. These dreams of small groups contacting one another and creating world peace beginning through networked communication were made explicit in the 90s and early 2000s. The maintain its dominion, international governments from around the world simply have to assert themselves in every aspect of our lives. With state protections, one of the key places feds can insert themselves is at borders, where reaching out to people from other nation-states happens.
Efficiency is for little people, like you and me. Federal governments print the paychecks for the border patrol, tax they money the pay them, then tax the people the border patrol buys all their worldly possessions. They care about efficiency less than google cares about disk space. I know I sound like a paranoid libertarian here, but I'm actually only a slightly-light-of-center person trying to bring a little reality and clarity to the situation. We are essentially pets.
You've got some interesting points here, but it definitely reads more like conspiratorial thinking. What realistic difference is there between "The States" and the federal government? In the end you're still going to have a government enforcing these things, unless you depart radically from our current societal structure.
It sounds like you're just skeptical of a powerful centralized state, and it's coming out through the lens of historical American federation/republicanism. That isn't wrong, but it's as much a history of competing factions as it is an strong intellectual basis.
You're not the only one skeptical of a powerful, centralized state. Try reading Kropotkin or Luxemburg. You might find the ideas resonate with you. Those authors have a coherent ideological basis, and suggest paths to decentralized democracy that has been realized in various forms in recent history, but is radically different to the current American government.
> What realistic difference is there between "The States" and the federal government?
It's huge! The power to drive international trade and warfare, for starters! Also, the ability to create laws that don't reflect people in your area/community.
Also wrt this thread, states don't (generally) enforce searches at their borders, because states aren't fighting for domination with nation-states. States are only trying to control their geographic area.
Thank you for the references, I'll check them out.
So basically, if I ever travel to the US or Canada, I should wipe my device first and then have about 20000 copies of gotse.jpg (but each with a unique name) on the device to force the agent to look at each picture.
This exact thing happened to my brother once. They took his laptop and did Windows Explorer searches for image extensions as well as the words "boy" and "girl", so your (and his) hunch that they were searching for child porn is probably correct. This was maybe 5 years ago.
That was literally it. I was standing there. They only searched for images. Again, this was about 10 years ago though. From what I understand, they now pull everything for future analysis.
Sounds like it might be fun to load one's devices with infinite zips labelled with tempting filenames, like "red light district itinerary.zip". https://research.swtch.com/zip
It's basically be because the natural tendency of government is acquire and centralize as much power as possible. Now some forms of government take longer but without constant review and concern by citizens in a democracy it will gradually move towards a despotic regime. In some countries like China it has already happened because individual freedom isn't that valuable to the general citizenry, in the USA and Europe it is moving in that direction. Citizens need to become more active and vote for parties that advocate for more freedom rather than less.
I have been asking this question myself. To a technologically nerdy person like myself it makes absolutely no sense. There is no reason whatsoever to physically transfer any dangerous or delicate information across a border. Anyone actually with the possession of such information would obviously never bring any of it near the border control.
However, I think the answer is that I'm way too optimistic. There must be lots of people who voluntarily do carry incriminating information with them across borders because they either don't care or they're just stupid. Others have mentioned emails or text about a job when you're not travelling with a work visa.
If this is true then I think border control is also just being merely pragmatic.
With a bit of questioning and informal profiling they can spot people whose story doesn't ring true: next they just need a way to figure out what's false with that one particular person. A success rate of 38% for electronics searches was quoted: that is very high and certainly makes mobile/laptop search to the top of the list of what to look at when you bring the traveller in and start investigating. I think they'd do it even for a 10% success rate: checking a few emails and messages is fast and apparently a low-hanging fruit.
That's pretty much what I would do if my job was to figure out what's wrong with a person's story.
It's akin to starting debugging by enabling asserts and running the binary in a debugger to catch any obvious issues live with a stacktrace, or something similar. Won't help with most of the trickier bugs but sometimes it points right at the culprit and it's a cheap test to run.
They wouldn't find the folder containing your blueprints for that bomb but they'll see you'll be meeting some people next week in a place that is very, very far from where you said you'd be vacationing.
I would guess part of the reason is because they aren't rational - they are upset that things changed and interfered with their snooping even though it has been irrelevant since radio and code books have existed. If I say "Aunt Bertha had a baby." without context you have no idea if I am being literal or signaling something sinister.
A far harsher and less charitable theory is that border control is where paranoids, xenophobes, and authoritarians accumulate and the point is control and punishing "the other" instead of actual effectiveness.
They probably just want to take advantage of old laws and/or not precise enough that allows them to search everything (according to their interpretation, including virtual things) on anybody -- without even any probable cause.
Most government can't do that (in theory...) when you are a citizen or maybe even just a resident, except when you cross the border. So if they want to watch you politically, they do that (at least) at the border.
The 38% true positive rate makes me think that either border customs violations are incredibly broad and common, or there is some kind of parallel construction happening here where they have a good idea of what they hope to find when they seize these devices from extralegal sources.
Edit: given the source, the 38% could also be inflated (perhaps by not counting certain false positives) since it comes from the department looking to justify their work.
Because things like SMS history and call history are far more valuable. They can download your entire SMS, call and contacts list, get the text from that, and then create a social graph based on who you know and who you are in contact with. Then it becomes very easy to trace people and who they are affiliated with. Plus going through SMS history is a great way to find reasons to throw someone in jail. My friend coming from Canada to the US was denied entry for 10 years even though she lived in the US most of her life because of jokes she had in her texts about marrying her ex-boyfriend for a green card. It's very real and it happens.
If you arrive at the US border and you say you're coming into the country for a short vacation and your text messages/email is full of conversations about employment in Seattle and your browser history is full of apartments for rent in Seattle, then they use that information to deny your entry into the country. It's mostly looking for "story checks out" kinda stuff like that.
There's TV shows that follow border agents for various countries during their day-to-day work.
I was coming here to ask this exact question. There's no reason it makes sense to search electronic records at a border crossing. As you point out, the point of the search is to control customs and ensure there's no smuggling going on. But electronic records are not smuggled physically. There is zero reason to do so.
So the actual reason customs agencies perform these searches is that they are allowed to do so because of the way the laws are written and precedent is set.
>It's not like you need to 'smuggle' any form of data physically.
The data may be a by-product of using the device. I suspect they are primarly looking for communications data that is bound to be on every device that is actively used to communicate.
The more end-to-end encryption is used the more interesting the ends become.
>And even if you had the data on a laptop, how does border patrol even know what they are looking at?
Maybe they just copy everything for later analysis in case communications data hints at this being a person of interest.
> It's not like you need to 'smuggle' any form of data physically.
Because most people don't have the technical know how, or desire to spend the effort to ensure that the data they _are_ bringing across the border is safe to disclose.
Even elsewhere in the comments here is a long debate about the "safe" way to deliver data across borders, some of which are actually terrible ideas.
Yes, theoretically, people could avoid bringing any sensitive data physically across the border, but most do anyways and I bet you do too.
Canada is successful 38% of the time when checking electronics. Common scenarios are seeing text messages showing someone has accepted a new job and will be working while on a visa waiver/tourist stay, or planning to get married while on a work visa.
But they don't stop people coming into the country or seizing their property. They are temporarily withholding the devices and copy the data. That's why you use full disk encryption - is they want to copy and store pseudo random data, let them.
I'm more surprised at the 38% true positive rate. If you consider false positives, it would mean that they are shockingly good at profiling and most criminals are dumb enough to leave obvious evidence on their phone, or an overwhelming majority of people have committed a "customs-related offence" so that you could pick anyone and they would be guilty.
I would think most offenses are for improper entry, visa, etc. If you were entering to work on a tourism visa I think it would be very easy to find proof in a simple email, text or document.
The issue here is that if most people aren't intending on staying illegally, you need to be really accurate, otherwise all the false positives are going to drown out your true positives.
I mean what counts as work and where it occurs are becoming very difficult to manage? What happens if you have to do work while on a real holiday, should you be deported for this? Is it valid to allow these searches for these sort of offences, it seems like at some point everyone will be guilty of doing these things.
I wonder this myself. There is a difference between traveling for the purposes of work, and working while traveling. I have a 100% remote position. I normally do my work in the US. I've considered flying to Europe for a few weeks, where due to time zone differences I could do touristy stuff during the day and then work my US 9-5 shift in the EU evening. This would allow me to travel but to not take vacation time. Would this require a work visa?
Generally speaking, there isn't a difference between traveling for the purpose of work and working while traveling for other reasons. If you are physically in one country while performing work it is considered working in that country and requires appropriate permission. Many countries do have a business visitor category that allows for some form of work (attending meetings, and the like, things that wouldn't be stealing the job of a resident).
I actually learned this the hard way, I was in your shoes, 100% remote job, for a US company, US clients, and went to Europe and thought I might work while traveling. I was detained at the border, interviewed, and very nearly denied entry. I was let after a couple fairly lengthy interviews (I was detained for about 16hours) and proving I had funds to support myself without working. I was given a "visitor record" and a firm exit by date, not sure what all the record entails but I get questioned every time I enter now.
Anyway, point being, legally speaking what generally matters is where you are located when performing the work, and that's really the only way that makes sense to judge where the work takes place.
With all that said, in reality being caught is extremely unlikely and plenty of people get away with it and I don't think there are many countries actively trying to crack down on that sort of short term work while being a tourist. If you want to be above the board though, unless your work counts as what a business visitor can do, you would need a visa to perform any work. There is generally no distinction between traveling for the purpose of working, and working while traveling for other reasons.
I'm not a lawyer though but I've spent a fair bit of time actually looking at the restrictions on the tourism and business visitor visas to stay legal while traveling long-term and working remotely.
I’m not a lawyer, but tend to travel a lot and had lots of conversations with border agents as a result :) My impression is that it’s primarily a question of payment - if you travel to say Belgium to get paid by a Belgian company, then it’s work. If you’re there and your work is not really related to Belgium in any way, you are on a salary paid by a US company, then your purpose isn’t really work. The shades of gray start when your employer is being paid by the local company for your work. Many countries will allow you to attend meetings for a week or two, run demos, provide some on-site support, but staying for six months and working on site likely require a business visa.
FWIW, I did this for 2.5 years while dating my now wife. As long as i had proof that I would only be in the country for less then 90 days and always told them I was working for an American company and that my American company was consulting for American clients, they were ok with it. Traveling with a recent bank statement also helped to show i had enough funds to cover my stay even if I was on "vacation"
I basically had my mornings free every day until I ate lunch then i would sit down and start work for the day.
it would mean that they are shockingly good at profiling and most criminals are dumb enough to leave obvious evidence on their phone
Your use of the word obvious is not well supported by your argument. Do you have an unstated premise that Border Services only detect "obvious" offenses?
There are cases at the Canadian border in which the investigators search for "boy" or "girl" using the Windows search tools to see if there is child pornography on your device. In other circumstances, they uncover hentai[0] showing characters that appear to be underage - and bringing that into Canada is illegal (in fact, much like Australia and New Zealand, any sexual depiction of fictional minors is illegal, and that can include stories or other text). There are anecdotal and well-documented cases for the latter[1]. One Reddit user claimed that the investigators at the border found browser-cached thumbnails of such material (since it used to be permitted on Redddit) and he was jailed for a day or something like that.
Not to suggest that all of the 38% count for that, but with the popularity of drawn pornography I'd wager it makes up a sizable chunk.
[0] Hentai refers to anime-style drawings of fictional characters.
It's sickening to think that, despite the ban in Canada, countless innocent anime girls are being abused in Japan every day - many of them children! The UN should apply pressure to get Japan to stop this vile abuse, and import of cartoons into Japan should be banned, as their safety cannot be guaranteed there.
Fictional child pornography does not directly harm children, but it is likely that it does so indirectly by creating demand for actual CP. To me, it seems totally reasonable to make all sexualized depictions of children illegal for this reason.
That's one way to look at it. But there's evidence that access to porn reduces the amount of rape [1]. In light of that, it seems reasonable to ask - how many children are we willing to allow to be raped, to protect our precious anime girls?
>but it is likely that it does so indirectly by creating demand for actual CP
Until there is evidence of that, it seems strange to say that's a conclusion at all, or that it's likely. In fact, Patrick Galbraith's work on how users of fictional CP actually interact with their materials suggests exactly the opposite: they have developed a form of sexuality for the representations themselves - the more fictional, the more real to them. To add to that, the research I've read shows that pornography is not associated with increased rates of sexual assault or rape. If the link isn't even there for regular porn, what would make you say it's "likely" there for cartoon representations?
Furthermore, do we apply this standard elsewhere in society? If there were no research on the link between video games and violence, would you conclude that it is "likely" it indirectly creates a demand for videos of real violence? Is the fact that someone might be spurred on to do a different act sufficient to illegalize the original act which spurred them? I would say not, unless we were to illegalize drugs (for example) because those who partake are likely to be violent? Should we prosecute cannabis users because they create demand for drug cartel products which finance murder? Apple users because they create demand for the appalling treatment of Chinese workers?
Most researchers on the philosophy of law in this area (e.g Suzanne Ost) while obviously opposed to actual child pornography find no philosophical basis in the harm principle to illegalize fictional representations. As such, it's not reasonable at all. You need to justify why you think it's "likely" and just what that standard means. If it cannot be justified, then we may say that any likelihood is sufficient to illegalize any material, but I doubt that's a conclusion you'd want to follow to its extreme.
Finally there's the issue of penalties - isn't punishing someone for something they might do (access real CP) unjust? This seems shockingly close to the notion of pre-crime. To avoid that, you'd want to look more at punishing the creators of the material rather than those who have consumed it and harmed nobody (other than themselves perhaps).
If there is no cultural understanding of the real people themselves, how they read the text and how they interpret it, any law is based merely on speculation and I must stand firmly against such speculative laws.
Perhaps what you suggest is true. I don't pretend that I have done tons of research on this; I only say that it is not inconceivable to me that fictional CP increases demand for real CP.
> do we apply this standard elsewhere in society?
If there is a demonstrable link between them, sure. The same way real CP is illegal because it creates demand, which causes more CP to be made. Remember, owning CP does not directly harm anyone.
> If there were no research on the link between video games and violence, would you conclude that it is "likely" it indirectly creates a demand for videos of real violence?
No, because video games and videos are completely different things. People who play violent video games don't do it because they like watching violence, they do it because they like playing video games.
> isn't punishing someone for something they might do (access real CP) unjust?
They're not being punished for something they might do, but that they did do. If fictional CP is illegal and someone is in possession of it, then they've committed a crime.
> The same way real CP is illegal because it creates demand, which causes more CP to be made. Remember, owning CP does not directly harm anyone.
The possession of real CP in most places isn't illegal because it creates demand, but because in order for its creation it required the actual abuse of children, and it's a violation of their privacy. Arguments against possession nowadays rely on two factors: the risk of harm (which is frequently not justified) and the violation of privacy. The second is a direct harm. CP is more often than not accessed for free in ways where the original uploaders have no way of knowing how many people consume the material - in the same way that Usenet posts circulate, and in an even more opaque way to BitTorrent. You can't see how many seeders you have on CP sharing sites. Paying for it is dangerous, so most consumers tend to coast on what they can find for free.
>No, because video games and videos are completely different things. People who play violent video games don't do it because they like watching violence, they do it because they like playing video games.
They are different, but the argument could also be made that comic books (in which lolicon hentai is most often published) are different to videos, and Japanese visual novels (which are branded and appreciated as games in their own right) which contain virtual CP are different to videos too. Yet we also would suppose that most people who play violent video games select violent video games for a reason over other non-violent games. The violence is an allure just as much as playing the video game is. For what reason, I don't know - perhaps to experience the limitless world of the imagination, or a break from life. Either way, people who read underage hentai don't do it because they like the idea of children being abuse, they do it because they can find a way to engage their erotic desires in a fictional world - but again, they must also have some reason to select lolicon over other content, and that's accounted for in the history of the status of women in Japan and the concept of moe. We can abstract away from video games and violence too; what do you think about movies that show violence, comic books that show disgusting levels of violence and pain, anime that shows violence...
>They're not being punished for something they might do, but that they did do.
Then the law is unjust - we would be punishing a victimless crime if we outlaw possession of things which cause no harm. Evidently the crime itself can't be located in the mere fact of the violation, since presumably it's a crime for other reasons. If it's a crime because "the viewer might do x, y, z" then it's punishing someone for something they might do through the creation of a law which punishes something they did do. It's simply adding another layer of explanation and indirection to the process, it doesn't automatically add any more justification. That's how the concept of pre-crime works, the pre-crime itself is made into a crime that can be prosecuted. I'm not suggesting that due process is being abandoned here, I'm saying that the rules in deciding what should and shouldn't be crime are being abandoned in favor of speculation.
> I only say that it is not inconceivable to me that fictional CP increases demand for real CP.
On the same token with the same amount of conviction (i.e none) I can say that it's not inconceivable that fictional CP lowers (or doesn't affect) demand for real CP. Now I don't really believe that's true, but I have as much reason to believe that as you do to believe the opposite. Perhaps posting on HN increases the demand for brutal startup founders who abuse their employees.
> To me, it seems totally reasonable to make all sexualized depictions of children illegal for this reason.
Among a huge number of intractable problems with fictional works, this also would make it illegal for many abuse victims to talk about what happened to them.
I disagree. Texts and fictional drawings should not be made illegal, regardless of their content. (I am not so sure that even actual child pornography should be illegal, although maybe it should be illegal to buy and sell actual child pornography, and also illegal to take photographs of them without their permission (even if it isn't for money).)
Doesn’t that make Season 1 of Californication illegal since David Duchovny’s character has sex with a portrayed 16 year old girl (with full frontal nudity)?
The representation has to be pornographic; I should have clarified. That said, "borderline" pornography, including a "chibi" (characters drawn with no definition or detail, no genitalia visible) parody of a famous Japanese print, were prosecuted in Canada[0]. If I could I would link the image in question if you wanted to see just how ridiculous this prosecution was.
There’s a reality tv show that follows the Canadian border patrol, in the couple episodes I’ve seen the agents have found emails about the person crossing actually going for work when they say for tourism or visiting family.
I watch that show too much and it seems there is nothing they can't search or if they can't get access to they'll confiscate and send the device to some lab in Ottawa. If the intent of the show is to portray them as *ssholes then mission accomplished.
US Customs has the same power, within 100 miles of all borders. It's rarely used, but this means they have nearly unlimited search abilities over about 65% of the population.
Yep - that is why many love profiling - security theater that doesn't even inconvenience them because they are the "right people". Plus it focuses on "the bad people".
Even though it has a trivial workaround of not looking the part. The Lod Airport Massacre "terrorism swap" with Japanese Red Army Terrorists and Popular Front for the Liberation of Palestine-External Operations in 1972 shows just how useless it is as a measure.
And unfortunately this is often how they get away with doing stuff like this. People scream "my privacy!", government replies "but illegal immigrants?!?!", and people are like "ah all good then, I've got nothing to hide!".
It's just so dumb, and I've heard a lot of older people especially who will say the common "Why is it a problem if you've got nothing to hide?". I think some people fail to understand the kind of data people can have stored, and how much of some people's lives are part of their digital devices. I'm sure they wouldn't want police coming into their house and searching it.
I watch that show as well. But I don't remember if they simply asked the person if they could search or demanded that they be able to search. Anyone who watches reality tv (for example 'Live PD') knows there are many cases where the police officer simply gains consent from the suspect for a search without any particular legal reason or right to do so. Now if they suspect they can (from watching) bring in a canine and if the canine smells something they then have probable cause (I believe) w/o getting a warrant (this is from memory and not a legal opinion that I have researched).
>Now if they suspect they can (from watching) bring in a canine and if the canine smells something they then have probable cause (I believe) w/o getting a warrant
>I really want to understand what kind of digital data is considered a customs-related offence.
Photo of someone smoking a joint in a legally (at the state level) operated dispensary. A pirated MP3 or video file.
There's all sorts of minor "customs violations" that would come into view looking through a device that frankly, aren't serious enough to warrant the violation of privacy.
In the first place, piracy is not illegal in Canada. Provisions surrounding copyright violations fall under bill C11, and that's a civil juncture, not a criminal one. So CBSA agents wouldn't be looking for that in the first place, nor would they have any grounds to do anything about it, since they aren't the rightsholders.
And even if they did, they have an interesting burden of proof in proving a given file was obtained via piracy. And what would they do? Detain you indefinitely because they want to "have a discussion" about some pirated Katy Perry song? I would agree that photos of doing drugs could be met with refusal at the border, but be reasonable.
They are looking for what is called "objectionable material". I don't know about Canada but in Australia it would be importing porn, any CP-like looking things (say porn with young Asian females that look like children and they have no means to check their age) and so on. I don't know full definition but basically they can add and remove stuff to this "objectionably material" list. Possessing data listed there is a crime. Recently, in New Zealand the shooter video go onto that list.
It's stuff like this that makes me want to build after-market privacy-oriented Samsung firmware, that at a low level (secondary bootloader) supports dual booting. By default you'd boot into the "non-private" environment. That way if customs asks to see your device, you simply boot it up and hand it over. Could make life a lot easier for lawyers, doctors, C-level executives etc.
I should note, dual-booting Android phones isn't a new concept, it's just generally performed at a higher (less secure) level. In particular, the secondary bootloader implements Loke (flashing protocol)[1], so a custom secondary bootloader could also prohibit flashing of unsigned images.
Providing the fake password would be, at the very least, lying to the border patrol agent. Which is an actual crime.
This might be a reasonable solution if it's a one-off unique solution and is therefore unlikely to be detected. But if you can't count on security through obscurity, this is a good way to end up serving real jail time.
However, it's pretty well understood criminals aren't legally required to self-incriminate. For example, if a criminal was to hand over their password, they're not then obligated to assist border security in navigating through their phone's storage to specifically point out evidence against themselves.
Whilst I'm not advocating this solution for criminals(!), I'd assume the same logic ought to hold true for those that have careers where privacy is paramount.
If you simply boot up your phone (into the "non-private" environment) and have no password, or perhaps even use the same real password (remember to change it later), then it's not necessarily your fault the border agents don't know how to use your phone.
EDIT: In terms of lying / being discovered, this is why I'm proposing a low-level dual-booting solution, rather than simply having multiple profiles on the device. It ought to be 100% undetectable that the device supports dual-booting at all, unless the user performs a precise action to boot into the private environment e.g. connect the phone to PC, and submit a specific boot command with a user provided password. Without the correct password being provided, the phone should respond no differently than a phone that does not support dual booting.
Although, IANAL nor have I made any attempt to look into the laws surrounding this. I would be surprised, although not too surprised, to hear there are laws specifically covering this situation. Nonetheless, it'd be a loophole for sure, and presumably easy enough to close off with further legislation.
Yeah. You can install GRUB snd default load it to windows 10 fresh install. Put some dummy files in the desktop, make it cluttered with oictures of cats and articles about meditation. This might sound like a great idea maybe i should try it!!
If there is a common mechanism for triggering dual boot, they would know about it and try it out too. So, not unless you use a unique, inconspicuous mechanism.
I don't know much about cryptography or low-level software, but could you hide the second profile inside the encrypted data?
For example, I believe Truecrypt has a dual container system with two passwords in addition to their regular encrypted containers. You enter one password to get to the "fake" container and another password to get to the "hidden" container. Plausible deniability exists where it is impossible to prove whether you are providing the hidden password and whether there is a second hidden container.
Could a similar system be employed for a mobile device? The core OS components could be shared by both containers and it's clear that you could potentially have a second hidden profile, but it's not possible to prove that it exists.
Of course just the presence of countermeasures on your devices would raise suspicion.
Lying to immigration officers is a crime. If you're going to go that route, you better be damn sure it's gonna work and they don't have prior information on you.
If you're at the point where this seems like a good idea, you're better off not bringing data over the border.
I've always preferred having a dedicated desktop that acts as a personal server and then a small cheap laptop that I use to remotely access it.
While this preference is mostly driven by capitalizing on the performance/price/size difference between desktops and laptops, it has lots of advantages when it comes to these situations.
My Dell XPS 13 only has 128GB of storage so none of the data exists solely on that device; it acts mostly as a dumb terminal that I use to SSH to my desktop. I suppose upon booting the machine they could request SSH key passwords and then search my desktop but this seems unlikely.
While most of the issues with these border searches are privacy/ideology based. These types of security theatre can easily be circumvented.
Of course, just using Linux may get you detained for a bit which makes it all moot. Maybe having a business card saying I'm a systems administrator (which is true) would make Linux an easy explanation.
If these searches increase and become normal, I think it's only a matter of time before Apple implements a cloud based 'data refuge' that would allow users to temporarily offload encrypted sensitive data to the cloud while crossing borders and traveling to countries with weak or no privacy laws.
My assumption is that this will become "the norm" for anyone that frequently travels across borders and deals with sensitive information.
As another commenter mentioned above, in the age of the internet and almost ubiquitous connectedness to it, what need is there to transport files on a device that can be seized and searched?
It's purely a limitation of the technical knowledge to make it easy to access data remotely. Package it up and sell it and you've got yourself a tidy little niche. Just watch out for governments asking for (or trying to create) backdoors.
When I traveled overseas I factory reset my phone and just used a dummy gmail address on it, then put my normal account back on once properly in the country. It's a matter of managing the details required to "get everything back" with minimal time and hassle. I'm a boring person unlikely to get onto any lists, other than the fact I like the intellectual challenge of maintaining a level of privacy slightly above what the 'state' might want me to have.
Too many people doing this, however, would cause a surveillance step-up to spot checking tourists / visitors mid-visit. That'll be an interesting law to try and pass.
I haven't heard of Linux getting people detained at border crossings, but it definitely gets you more scrutiny from other government organizations like the NSA[1].
I travel similarly equipped - with the idea that I can't lose (or lose control of) data I don't have with me. This addresses the threats represented by border control, intranational security checks, theft of device, and unintended hardware acceleration (@9.8m/s^2). At most, a laptop or a phone is a cache of data that's already elsewhere.
Digital privacy while crossing borders seems to increasingly be an issue. And I'm worried that it's not going to improve any time soon. Politicians and very rich people don't deal with border security the same way normal people do.
if you took cars away from the entire population that would only account for up to 25% of the CO2 being released. So, on this small a scale it's doing almost nothing.
Even very slightly rich people who are frequent travelers often don't have to deal with the same indignities thanks to programs like Global Entry and TSA Precheck. I imagine these programs greatly reduce the backlash from those who have significant political influence.
Many of the services which could be accessible from those devices are American services with data residing on American servers. I wonder if it is possible to use hacking laws as a means of dissuading border agents from looking at devices. A Canadian agent might have jurisdiction in Canada but what if the get charged under the CFAA in the USA for accessing a server they aren't legally allowed to access. Perhaps it would be possible to design a specific legal/digital service for people to install with servers all over the world as a type of legal landmine meant to punish agents searching data by using hacking laws in many jurisdictions. Think of it like copyleft for stopping agents from snooping.
They are directed to, but what is the penalty for not following directive? South of the border this would mostly result in getting assigned to a desk job.
As you might expect, law enforcement is specifically exempt from the DMCA's antcircumvention provisions. I would imagine that's true for other countries' equivalents as well.
He's suing to get them back and for compensation for having to "temporarily" replace them, but even if he wins he probably shouldn't trust either device in the future (possibly more so for the laptop).
>he probably shouldn't trust either device in the future (possibly more so for the laptop).
Seems risky for the government to put any firmware/hardware implants on those devices. The user is naturally going to be suspicious of it because the government had unrestricted access for days/weeks. So there's a high chance that the user might not even use it or will send it to an expert for analysis. If discovered, it's going to look extra bad for the government because there's no doubt that they did it.
Suspicious, sure, but most users aren’t equipped to do that kind of diagnosis, and many won’t be able to afford new devices, and maybe it will look even worse for the government but I am certain absolutely nothing bad will happen to the people who added the malware.
That would mean giving away your private data you had on the device to security researchers as well though. While I would want to have such device analysed, I am not sure I am fine with that compromise.
Many of the more technically advanced governments create and/or buy malware which is able to persist in places other than just your hard drive and BIOS.
As it seems you're new to the idea, look into APTs for a general understanding of how persistent threats can be useful when they're embedded into a target:
The mechanisms for persisting outside of HDD/SSD data areas and the BIOS can vary. There are a lot of support chips in computers and peripherals. For example, Intels AMT (supposed to secure PCs) has been shown by researchers to be a useful place to put malware.
Snowden revealed that the government is capable of planting malware in peripheral firmware. So you can have a hacked bios/EFI, system controller, security chip, hard drive, SSD, GPU, WiFi/networking card/chip that is virtually impossible to detect from the main OS.
Maybe they put a keylogging device between the keyboard ribbon cable and the motherboard? Say this device exfiltrates keypresses via a radio and a government agency, knowing where you work or live, can then pick up the data wirelessly.
It’s a bit sci-fi, but well within the resources of any of these governments.
If the bios is corrupt it can corrupt the OS. So that the OS does not really flash it. Or there might be a hardware exploit that makes it look like the bios is being flashed while keeping the corruption or one that injects the corruption after each bios flash. In general if the HW has been modified it would be really hard to detect the exploit.
But if a super sophisticated approach is used, they could just as well catch and prepare your computer before you receive it i.e. if you ordered it by mail.
Why doesn't everyone simply refuse to share passwords, as is mentioned numerous times on various Canadian government websites? Basic search finds tons of pages from all sorts of departments https://www.canada.ca/en/sr/srb.html?q=share+password
A few samples
> 95% [of polled Candians] know not to share their passwords
A few days of every single traveler saying "no" would force them to either begin seizing all electronic devices or to drop the entire endeavor as untenable. This problem doesn't need a technical solution beyond making sure locked devices are actually secure.
Individuals also have the authority to assert their rights, one of which in Canada is the freedom from unreasonable search and seizure[0]. R v Fearon[1] places limitations on this exact type of search one could easily argue aren't met given the descriptions of these searches I've read.
You don't have any rights at the border. The moment they decide to search you they will ask for your passwords. If you don't give it, they'll detain you until you do.
It goes on to specify that while the law is unclear, an unpublished Canada Border Services Agency policy states searches "should not be conducted as a matter of routine; such searches may be conducted only if there are grounds or indications that “evidence of contraventions may be found on the digital device or media.”" [nested quotes sic from page, presumably from this unpublished policy]
IANAL (nor Canadian) but the Canadian Charter of Rights and Freedoms and the Customs Act, and probably many more documents and judicial rulings, define the rights available to anyone crossing the Canadian border. CBSA policy may not be legal, and only by exercising their rights and refusing to cooperate with illegal orders will citizens be able to affect change.
Many brave people in the past have risked detainment, property seizure, and worse in order to protect the civil rights of millions of others. Apparently, in regard to safeguarding personal data privacy, this is again necessary.
What if you do not know the password for the computer (e.g. if you are transporting someone else's computer, or because it is damaged and need to be repaired), or if it is time locked?
This is the definition of a police state, with law enforcement officers empowering themselves and demanding to go through your personal papers, how dehumanizing is this?
What is the difference between this and the stasi or the police of any totalitarian state demanding to go through your personal papers? There is a huge difference between physically checking your laptop or phone and demanding to go through its contents and your personal data and thoughts. This is hugely invasive and dehumanizing and is the definition of totalitarianism. The word democracy by definition cannot include this.
Even more disturbing is the cognitive dissonance of those who have complete moral clarity when condemning police state tactics in some third country and then stretching credulity to normalize the exact same thing when done by their own governments or 'democracies'. The is the dangerous road to totalitarianism where values are not defined by actions but actors.
Fighting this is all well and good, but we should look into the near future to when brain scanning or lie detecting has improved.
The fundamental problem is that governments believe they deserve to know citizens and travelers' thoughts. (Cell phone contents are a close proxy.) I disagree, and believe they can still provide adequate border and intranation security without it.
So what’s the Canadian governments real position on this?
Are individuals and companies allowed to store private and confidential data, or is all information seizable by the government without a warrant at the border?
It's not that black and white. Private and confidential data is allowed; however, customs and border patrol also have legal authority to inspect such private and confidential data when you cross the border. They do not have the right to inspect it, without warrant, elsewhere.
This is the same in the US, maybe even worse in the US. Customs can inspect your home if you live within 100 miles of any border...
>But I don't understand what legal argument is to be made for arbitrarily seizing property at the border.
It looks an awful lot like garden variety theft, to me, which makes me question whether or not we should use their vocabulary here ("seize", versus "steal"). That said, I hesitate to wager on whether or not a court will side with the victim.
It used to kind of make sense when they were just searching physical property (baggage). There is a legitimate argument for wanting to stop dangerous or immoral things from entering any given country (weapons, poached ivory, foreign animals that may disrupt the ecosystem, unsafe food/drugs, etc).
Then there are financial reasons for stopping some items that have tariffs or duty on them. Then there are legal reasons for stopping other things that violate the law (items that violate local copyright/patents, etc).
I think most people would agree with those items above, so they have a legal right to search you and your belongings. Those same laws have been applied to computers and phones without any new thought. So, if they have to ship it off to a lab to search it because you won't share the password then they have the legal authority to do so.
I don't agree with all of it, but they have the legal authority to do it.
> He said the officer then confiscated his phone and laptop, and told him the items would be sent to a government lab which would try to crack his passwords and search his files.
Hopefully they were powered down and used proper full-disk encryption.
Honestly, that's not something you can expect from regular non-power users. Full-disk encryption isn't enabled by default on most consumer laptops, and few regular users go out of their way to set it up.
You don't need "full" disk encryption on Chromebook devices or Android phones. Both ship with file-based disk encryption for all user data, on-by-default for all recent devices.
When I travel out of the country, I reset my phone and Chromebook to their factory defaults and then provision a decoy account. Once I'm across the border, I provision my primary account.
Even if they image my devices, all they'll get is old encrypted garbage for which the key is unavailable because the key was rendered inaccessible when the device was reset to factory defaults.
They could replace part of the password-checking software with a backdoored version that would send your password off to them. Your data is protected, but the OS can still compromise it and a bad actor can replace parts of the OS (which is open source in both of your cases, making the process even easier).
It's also enabled by default on Surface Book 2 (and possibly other Surface line devices). No idea how well Bitlocker (or Windows Hello for that matter) stand up to border control.
Do you think its better to have an iPhone powered down or on?
I am wondering if it would be possible to leverage remote wipe features, but maybe the border agents power off the device or put it in a bag / container that blocks cellular signals.
Law enforcement has tools like Cellebrite and GrayKey that can unlock or extract data while the phone is powered on but locked.
Apple is making this a bit more difficult by disabling the port if the phone hasn't been unlocked for seven days or more, but if the device is powered on and law enforcement acts fast, it's vulnerable.
Remote wipe might not play very well. If it was detained in relation with a crime, they might go with 'attempting to destroy evidence'.
Look at it this way. Suppose the seizure of the phone was totally reasonable (because that is how they will think about it). Now, that suspected criminal who apparently had something to hide decided to remotely tamper with evidence after we lawfully detained it? That is subversion of justice!
The above is an argument I'd expect to hear from them.
Oh dear no. The U.S. protection against compelled self-incrimination is for testimony, not seizure of papers/effects. Spoliation of evidence is illegal, and in some cases if it's not a crime by itself, it can still even lead to doubt being resolved against you (in other words, if you destroy a key document in a legal proceedings, the court might make a legal judgment that assumes the document's contents were as bad as possible for your case, even if it actually wasn't).
Shouldn’t matter. The key thing is to have a strong password, and disable any biometric authentication beforehand. (You can do this by squeezing the side buttons for a few seconds until the “power off” screen appears. The phone will then require a password before reenabling biometric authentication.)
Good question, I forgot about that. I'd have to read through the security guide again. I wouldn't personally worry about that, as I think the system is sufficiently robust against external attacks, but obviously other people's priorities and levels of paranoia may differ.
Powering down if possible and then initiating a remote wipe for my supporting Apple devices (macbook, iphone) as soon as possible would be my very first move. It's possible they do have procedures in place to block connectivity to any wireless networks, but couldn't hurt to try.
Personal computers (and cell phones) contain more information than people could have ever imagined when polices around searches at borders became a thing. It's really unfortunate that there's no desire to respect that. You could find more from someones smartphone than you could via a search of their home with a warrant.
I'm pretty glad I travel a lot and can afford a second phone as a total burner that I keep nothing on, and a new m.2 SSD and a clean install for my laptop. It's saved so much hassle, as the one time I was asked to look at them, it was an easy "Sure officer, go right ahead. I hope you're quick though, there's nothing on either."
> Officers uncovered a customs-related offence during 38 per cent of those searches, said the agency.
This is hard for me to comprehend. Does anyone have an idea of what 38% of the phones can have stored on them, that is illegal to have when crossing the border?
> Does anyone have an idea of what 38% of the phones can have stored on them, that is illegal to have when crossing the border?
Generally it's things like text messages from friends/family/potential employers that lead agents to think the person isn't going to abide by their non-work/short term visa.
that isn't a customs-related offence, though - that's an immigration related offence. Customs is concerned with the movement of goods, not movement of people.
It’s not on 38% of phones. It’s on 38% of phones that they search, and they only do that in situations where they think they are likely to find something based on the story provided by the traveler. Usually it involves working on a tourist visa, or intent to overstay on a visa (person claims to be visiting but does not intend to leave).
I think I've mentioned it before on a story like this but if you watch the Border Security shows it's pretty obvious what most of the people they search end up being. Yeah it's a show but it's a pretty good slice of what they get.
I took a workshop on custom Kali builds where they specifically spoke about LUKS headers and shipping them via email/gdrive to yourself and removing them from the physical device. It renders the partition useless. This was viewed as a better alternative than something like TrueCrypt with decoy passwords since if the government can ever prove you did it then that's obstruction. With the headers gone and no local copy you can't provide what you don't possess.
> This was viewed as a better alternative than something like TrueCrypt with decoy passwords since if the government can ever prove you did it then that's obstruction.
If that qualifies as a type of legally actionable obstruction, it would seem that intentionally wiping your device before you cross a border and then reloading data onto it once you arrive at your destination would also qualify.
In one, you intentionally give false information and lead the government believe you in good faith complied. In the other, the data is inaccessible and the government is aware it is inaccessible. They can then evaluate risk and seize the device or take some other action from that knowledge. IANAL and I don't play one on TV.
ETA: To complete the threat analysis, and if they seize two devices, one with a password protected key and a LUKS volume without headers? I'll take LUKS.
> In the other, the data is inaccessible and the government is aware it is inaccessible.
Because the person made it inaccessible with the intention of concealing it from law enforcement and others. There is still a means to decrypt the data.
All of the actions described in this thread - whether it's decoy passwords, encrypted volumes with headers, burner devices, or wiping data and then restoring at the destination, all seem like they could be construed by law enforcement as a person obstructing their ability to sift through the individual's data.
Just don't use LUKS, use dm-crypt in plain mode and separate 2 flash drives - one with the bootloader, another with unformatted partition with the key at certain offset (or you can have both on single flash drive).
Then you can mail those flash drives around and backup them as you need.
I think it is even possible to use Yubikey for dm-crypt in plain mode.
I really can't be the only person who travels internationally with a burner phone and burner laptop. I'll generally wipe them both sitting at the airport waiting for my flight home, just so that I can have the e-passport application up by the time that I land and go through customs. (Admittedly, I should just upgrade my TSA Precheck to Global Entry, but, I'm not even sure that I want to go through with that process).
When I was working at Google I had to go through some training videos that explained that you should never bring corporate devices across the border for this very reason -- that they could be searched, thus breaking the NDA. They'll ship you a clean laptop instead.
Do you actually have to tell the officer’s your password or do you need to just unlock the device. Also, are you allowed to be there while they are searching it to see what they’re looking at/searching for?
I never really understood the reason for seizing an electronic device anyway. Surely if something was important / secret enough it wouldn't be _on_ the phone. What are they looking for, exactly?
I’m sure there are tons of phones that have incriminating photographs in the default camera app, or incriminating text messages or saved voicemails or who knows what.
LEOs prerogative is to see how you are violating the law. Their view is to gather all data which could turn into evidence at a future point. This is that scenario and LEOs do perceive us all as 'baddies'.
Cases like these makes me want to take extreme precautions when traveling.
I recently returned from a trip to the US, and prior to boarding (in any direction) i wiped my browser history, and logged out of iCloud, wiping all message history etc.
When i arrived at my destination i simply restored from the last iCloud backup, and things "magically" reappeared.
Reading the comments here made me realize that it's much more than just personal emails/notes, but also things like Uber history, frequent locations, frequent calls, etc. Basically anything you do that has a pattern to it, or matches a list of keywords.
As i don't see the need nor justification for any government to profile me in detail, I'm seriously considering doing a complete wipe of the phone for my next trip, setting it up as a basic _phone_ and restore a backup once i arrive. For a laptop i would probably set it up as new, and bring an installation media with me, reinstalling when i arrive.
If you demonstrate that government employees changed files all over your hard drive during a "search" then I wonder if recourse or compensation or legal action is possible.
I understand the law permits CBSA agents to perform warrantless searches. e.g. reading the contents of your hard drive. This is, rightly, controversial. But then does the law also permit them to modify the contents of your hard drive?
The act of logging in and browsing your computer will make many changes to system log files, to metadata of documents (e.g. last accessed date), etc. (Just thinking out loud about technicalities and other angles on this.)
Same thing happened to me last year, flagged by Canada customs as some kind of potential sex criminal being a solo male traveller and I just gave them my unlocked phone to search through so I could get out of there after a 12hr flight.
I had keepassx android 3rd party app installed to keep financial info and passport pics in case my bank cards and other things were stolen, totally forgot it was there and they didn't even ask me for the pw, returning my phone and letting me go. If I was a degenerate criminal I could have had anything in there was surprised they didn't notice it.
Exactly how many meaningful crimes have been prevented or busted because of this behavior?
I think sacrificing liberty for security is generally a bad idea. But it seems we're increasingly sacrificing liberty for nothing, which is a rather worse idea. We're creating a dystopia for what? To get people to click on ads on one front, and on fronts like this - the pretext is mostly to stop terrorism, but that's something that should be cleanly quantifiable. So let's quantify it. How many terrorist attacks has this stopped? I think the safe ballpark is exactly 0.
I also don't understand why more people don't seem to ask this question. Can governments do this is going to be an extremely difficult to answer question that few of us lack the expertise to even begin to delve into. Even for those of us with it, there are contradictory views. It seems much easier to answer should governments do this. And if they're driving a meaningful deterioration of society, as I would call the stripping of basic rights of individual privacy, and have nothing of substance to show for it - then this is something for which there is no ambiguity whatsoever.
> He said the officer then confiscated his phone and laptop, and told him the items would be sent to a government lab which would try to crack his passwords and search his files.
I'm breathlessly waiting for the "We will not go to Canada! Move the conferences out of Canada!" posts.
Just enable guest mode. Pretty sure they're not employing top notch cyber investigators for security searches. They aren't smart enough to know the difference and it'll meet their "requirements".
Fucking assholes
Considering he is a lawyer and a politician and civil liberties activist, he knew CBPA’s rights very well, and this is a public stunt to encourage the government to change the law.
A simple search about this nick wright, reveals that this is not his first encounter with the authority. He is definitely more active about civil liberties than the average person. He has been arrested during a G20 event, and his story then sounds a bit like this one.
So, we either have case of lightning striking the same person twice, or he likes to play games with the law.
Something I wish iOS had is the dummy password to unlock the phone into a sandboxes type area without any of my personal data. “Yeah sure i’ll unlock it, nope that’s all I have on there”
It's the same problem with Veracrypt/LUKS hidden volumes. If they know about the sandbox capability, they could easily say "okay, now unlock the real one" if they find nothing incriminating. What happens if you _did_ unlock the real volume/sandbox in the first place and have nothing incriminating on it?
Only remedy for this is having arbitrarily many sandboxes.
The problem is if these features become common enough you will start getting asked about them. Even worse, if you aren't using them you may be asked to provide something that is impossible to provide.
On Linux, one could use dm-crypt in plain mode with keys on number of flash drives. Good thing about keys, they look like unformatted disks, so you can send flash drives via mail in advanced. Whenever you open a laptop like this without a key inserted, it look like it has no bootloader, no OS. There is no metadata, no nothing.
Is it legal to take steps to intentionally frustrate any future searches that may be done against the device by border agents, in cases where the is no other crime being covered up?
For example, having a trusted remote party encrypt your data, and that party will only decrypt it once you've cleared customs?
The problem here is that they confiscate regardless. Even when it's very clear they do not have the means to break the encryption at all. Any excuse, reasonable or not, will dissatisfy them and they'll confiscating either permanently or temporarily (both seem to have happened).
It seems to me that the best option is to keep sensitive data on encrypted removable storage devices while having light security on the internal storage of a laptop or phone.
Access could then be granted to the laptop/phone, but refused for the external storage device. You want to indefinitely detain my $20 SD card if I won't give you the password? That's not a sufficient threat to convince me.
I agree, the laws are the problem. I can't do a whole lot to change the laws, and I am a citizen of the country I think is most likely to try something like that, so the technical solution is really all I have. So far, I have not had to employ it.
While for a laptop one can use xen ( or grub, or similar ) to default boot into a pretty boring image of, let's say, windows 10, with some fake-but-good-looking documents, photos, etc, I wonder what are the possibilities on a smartphone? Would this be possible on an Android?
What exactly is wrong with this approach? It should get you through the border with no further suspicions, since I’m guessing they don’t have the time to be checking for hidden partitions for every traveler they pull over.
1) Because this can give officers probable cause to detain you. Just like if they find a hidden compartment in your luggage, even if there's no contraband in it, you'll be held many hours in a freezing cold room while they examine every detail of you and your property.
2) Because it could be a crime. Failure to disclose an encryption key if requested by UK Police and Customs authorities is a breach of The Terrorism Act, for which you can be arrested.
3) If they ask if you have hidden or encrypted data, and you lie about it, in the US you're now guilty of a federal crime -- even the hidden volume itself is empty or innocuous.
But if you are at the border and give to the officers all what they want ( access to your laptop and phone ), why would they have further suspicions to interrogate and/or detain and deep search your devices, if you are really a clean person, dunno, white, 30-40 years, suit up, good clothing, no strange stuff in traveling history..etc.?
I remember signing documents that said I (basically) would not allow anyone access to my work phone or laptop. This would put me in quite a pickle if work council wasn’t immediately available I would think.
Next project: figure out how to add a fake user to my MacBook and only have the real HD / user boot if a key combo is placed. Apple should add users and this as an option if they care about security, to iOS.
They should show just one account, but give it two passwords: a real one, and one that secretly takes you to a different account that's also customizable.
I'm planning a trip overseas sometime in the future, and I'm sorely tempted to write up some malware that will activate if someone attempts to download my hard drive in the wrong way. I'll provide the password, along with a statement that I'm not authorizing a search of the drive, and if they want to break the law they are doing so at their own expense. Any lawyers know if I would still be liable for the outcome?
I think the best solution to that is to have a "honeypot" account, at least on your laptop. Have a random account with some photos / random documents that you login to by username. Hide the main account's home folder and hope the authorities aren't savvy enough to look properly. They probably aren't.
Perhaps add something to its login files that'll automatically wipe the main account data.
Get a Chromebook, factory reset before going through security, go through the security, then login. Same for the phone for android. Nowadays both Chromebook and Android recover almost all states back fairly quickly and smoothly that you can do this with minimal hassle.
i.e. There's no password to share if the devices are fresh.
These cases keep on cropping up and you see people suggesting to do some sort of technical trick like taking the hard-disk out of the laptop and carrying a TailsOS live USB flash device for your computing. Other tricks might include mailing a USB flash disk to a hotel reception with the intent of picking it up when you arrive. These are all fraught with risk and you could appear extra suspicious by doing these. Another 'trick' I see people advocating for is trying to act like a so called 'normie' and having normal average joe files on your computer and maintaining an innocent-looking browsing history where you can be seen visiting cnn.com or even cbc.ca for your news and not some left-wing conspiracy websites. The only caveat with the 'normie' method is that you will need to access your more controversial/sensitive files at some later stage, so this could mean logging into Dropbox and then downloading an encrypted Veracrypt container onto your machine and proceeding to work with those files in the privacy of your hotel/where-ever.
Well, I'm not sure if one wants to just call security approaches "tricks". A "trick" approach is often one that can be undone if your adversary knows about it (keeping your files hidden somewhere in your luggage would be a "trick"). A cohesive approach should be unbreachable if minimal conditions are met.
If you can assure a "trustworthy" base computing environment (one that isn't keylogged etc), then having your valuable files encrypted in a remote location should work (which is the idea of tailsOS boot + a remote drive). How determined the adversary would determine how hard they might fight again you getting such a trustworthy environment.
The “tricked-out-bootloader” approach also seems to be brought up often: have your hard drive portioned into two sections (or even have two hard drives), then configure your bootloader to start up the non-encrypted, not suspicious partition unless you press a specific key combo at boot and enter your disk encryption password.
if a solution were to be created, could the company be held liable for obstruction of justice via aiding and abetting?
I guess this could be taken care of with an extended terms of service which lay out how the product shouldn't be used to prevent search and seizure by government officials...
"During 38 per cent of those searches, officers uncovered evidence of a customs-related offence — which can include possessing prohibited material or undeclared goods, and money laundering, said the agency."
>He said the officer then confiscated his phone and laptop, and told him the items would be sent to a government lab which would try to crack his passwords and search his files.
Can this be used to get whatever case(es) he was defending thrown out because solicitor-client privilege was violated or parallel construction was used?