One thing that hasn't been given enough attention by the public is the recent discovery of regulations that the U.S. Department of Homeland Security border agents now have the power to seize travellers' electronic devices, such as hard drives, flash drives, cellphones, iPods, pagers and beepers, as well as video and audio tapes, books, pamphlets and other written material. They can make copies of their contents and examine them at their leisure, and share the contents with other U.S. government agencies.
Of course they're looking only for terrorists, but with the current hysteria about copyright, they might get enthusiastic and pass on your collection of MP3 songs and whatever else you've got to the appropriate justice officials.
The news gave my Panel of Learned Geeks quite a turn, and their responses were, appropriately, technological.
One suggested keeping passwords memorized, and not on the computer; that notion was shot down pretty quickly when everyone agreed that refusal to give up a password is no defence when it comes to the War on Terror.
More curious is the question of what happens if your data is not stored directly on your laptop, but accessible via a virtual private network, or something even simpler, such as a logon and password on a website. Once the bad guys get clued into this, they might very well do the same, especially with information on servers overseas. Would suspicious laptop-carriers then be forced to divulge connectivity information, thereby violating a corporate policy of secrecy?
“Providing access to my corporate network would place me in violation of my employment contract and nondisclosure agreement,” wrote one member. “It would also place me in violation of nondisclosure agreements with public and private U.S. companies, securities laws, computer access laws, and other such things.”
Another responded this way: “I will give [the DHS] every single password needed to access and decrypt anything that I can. Hey, I'll even give them my password for my company computer. What's that? Doesn't work? The password must have changed. Here's the number of our security director. Call him and convince him he should disclose the password.”
One part of the discussion approached this issue philosophically. What, exactly, do you have when you have “data”? It was summed it up this way: “Until someone comes up with definitions of what ‘a person possessing data' or a device ‘holding data' actually means, this is going to be a freakin' mess. Common law concepts that apply to possession of physical objects just do not apply whatsoever to data. Data is a representation, not a physical object itself.”
Then there were scornful suggestions:
“Here's another idea. Swap laptops with someone else. He doesn't have your passwords and you don't have his. Just don't go through together.”
Another idea: “Don't bring a laptop. Rent one down there and download a live CD with your system on it. Or bring an empty laptop or one with nothing but DOS 2.1 or Minix on it. I still have a Plan 9 boot disk around here somewhere. I'm pretty sure we can always out-stupid them.”
One raised the scary prospect of BlackBerry users: “Should you have to explain a wrong number that linked you to a crime organization?”
Is this all paranoia? Anyone who has been stopped by an officious U.S. border guard with an attitude will quickly tell you it's not. Any protest of the legality of what they're doing is a virtual admission of guilt and they will bring down the wrath of their government on your head.
One panel member, a security expert, told this story:
“I was on a client site doing incident response in the U.S. and I had to explain to the people I was subcontracting to that I had to secure-delete everything from my machine before heading home as I had no way of knowing the full extent of what was hidden in the directories and Web caches of the machines I copied to mine for security analysis. I had used removable media for almost everything, and the people understood my discomfort at transporting data I wasn't sure of across an international border. I would advise the same to anyone else who routinely handles data from dodgy sources.”
He concluded with an understatement: “We do indeed live in interesting times.”