For work data such as the lawyer in the article I would recommend go one step further and not having the password in the first place. You can achieve this by for example having the server admin at work remotely unlock the device at request, have hardware tokens at trusted locations, or software that provide similar effect. No amount of $5 wrench or legal threats can change the situation as it not in your hand to give them access, and you can helpfully give the path forward for the officers to follow. Even better if you have a written company policy with you which spells out that employees don't have capability to unlock devices during travel.
For confidential work data, unless there is a reason it needs to be used disconnected from the internet, it would be better if it was simply never on the laptop at all. The workplace could just use virtual desktops that never leave the company’s IT infrastructure, but are remotely logged on to from whatever device users need to work from.
How 5 dollar wrench won't work in this case? Isn't administrator going to follow his order, so he can made to call the administrator and reset keys etc..?
The value of the trick is just in pushing access control outside the situation.
Border services generally have extensive but constrained powers - in the US, they're limited in how far from a border they can exercise authority. So they don't get to arrest the administrator directly, or go and confiscate an access key sitting in Edmonton. They can still demand that whoever is at the border arrange for unlocking, and can probably seize the device if they're refused. But the threat "we'll lock you up until you open the device" is potentially legal, while "we'll lock you up because as a hostage until somebody else opens this" has far less merit. (Obviously, none of this applies if you go someplace where actual hostage takings might happen.)
If the administrator says "I need physical access to unlock that" or "our firm's policy says I can only open devices once they're at one of our offices being used for billable hours", there's no one handy to apply the wrench to. At that point, confiscate-and-image is as much access as anyone can hope to get.
This assumes you can get the wrench close enough to the admin. If they are in another country, one that is outside of your jurisdiction you'll have a hard time applying your wrench.
The usefulness of this "trick" relies on not having the _data_.
They aren't going to hit me with a wrench for the decryption password to a cloud-stored blob that's not on the device (and ideally, one they don't know about. Remember the password and the location of the data. Remember to secure-delete it from your device though. There should be an easy "prep for border crossing" checklist that includes this.)
Like, leave a private key at home and encrypt your drive with the public key before crossing the border? Yeah, at that point you are powerless to do anything until you are at home.
But what's the difference? The end result is the same: your device(s) are confiscated and they attempt to brute force the password. Telling an officer that you cannot give them the password because you did some techno-mumbo-jumbo is just going to piss them off and make them assume you have "something to hide" because "no honest person would go to those lengths".
Yes. This thread is full of people proposing inventive technical solutions to genuinely prohibit your own access to the device while you're going through customs, as if border patrol a) knows the difference and b) gives a damn. These are all functionally equivalent to "Um, I forgot my password." (Or, if you wish for a more plausible but equally ineffective excuse, "This is actually my mother's laptop; I'm bringing it to her and I don't know the password.")
If an LEO (claims to) need access to something and you give him a dead end, it's his job to assume you're lying and find the next legal option available to him.
The real question you should be asking yourselves isn't "How would you outsmart the caveman cop in this situation?" Rather, it's "What can/will you do, as a citizen, to resist the erosion of our civil liberties?" Sadly, I have no easy answers here.
> it's his job to assume you're lying and find the next legal option available to him.
Not sure where you live, but in the US it's actually his first and foremost responsibility to uphold a constitution that says that people are free from unreasonable searches and seizures.
Well, in a country with a for-profit, for-"performance" law enforcement system, where prosecutors are paid by how many people they put in jail and cops are paid by how many traffic tickets they write, do you really think some paper from 1787 is going to have much influence on a TSA agent if their paycheck depends on sorting out as many "bad guys" as possible?
The Canadian constitution (specifically the part of it called the Charter of Rights and Freedoms) guarantees the same right, however, constitutional rights in Canada are granted only up to "reasonable limits". Those limits are determined by the Supreme Court.
You're right. I missed an important part of the comment I was replying to: you need to say something about "company policy" or "company lawyers", now you're playing in the both the social and technical realm.
Nothing justifies an honest person going to great lengths to do some weird thing quite like "company policy".
Nothing makes officers think twice like the mention of lawyers backed by Apple / Google levels of money.
This only works if you trust egress border crossing more than ingress. Otherwise you might as well not bring your laptop along in the first place as it'd be an encrypted deadweight.
