Tag Archives: Customs

The Challenges of Border Patrol

I am going to try and make this non-political.  We will see if I succeed.

Customs and Border Patrol detained a U.S. Citizen active duty Army solider as he went through a U.S. airport as part of his directed orders.  The soldier, who is an American citizen, was born in Iran.

A leaked Border Patrol document says the agency directed agents to question travelers of Iranian descent, even if they are American citizens or even active duty soldiers traveling on orders.

Customers also asked the soldier for the password to his  iPhone, which he gave them, but they decided to keep his phone for further examination.

The Border agent said that the soldier’s phone number had been popping up on multiple different travelers that had been flying recently.

He asked if he could get his phone back to get information off it and they said no (which is reasonable in the context of the situation).

Since many people connect their phone to cloud services, in theory the forensics investigation could access your cloud data (of course, they can get a warrant to do that anyway), so either way, they likely have access to all of the data on your phone plus in your cloud.

The soldier does not know when he is going to get his phone back.  I am probably more paranoid than most, but I would not use that phone even if I did get it back.  He could, of course, sell the phone, but in the mean time, assuming he, as a soldier, wants to stay connected to his loved ones, he has to shell out his own money for a new phone.

In theory, Customs is only supposed to keep confiscated phones for 5 days, but they can extend that week by week indefinitely.  There are numerous stories online of Customs keeping phones for 90 days or more.

Customs had previously told the media that there was no directive to target people of Iranian descent, but after a memo stating exactly that was leaked, they changed their story and admitted that they were doing that.

So, what to make of all of this?

It would appear that Customs did nothing wrong.

Was this soldier targeted because of his heritage?  Likely but you can’t prove anything.

If Customs decides they want to keep your phone, there is nothing illegal about that and all they are required to do is give you a receipt.

Non U.S. citizens can be sent home if they refuse to unlock their phone but, for U.S. citizens, all they can do is keep your phone.  Of course, they can detain you for questioning, but unless they arrest you, they do have to let you in.  In the grand scheme of things, Customs only looks at a few tens of thousands of phones out of the many millions of people coming into the country every year, so the odds are pretty low that they would ask.

If you have business information on your phone that you are concerned about or if you are an attorney with privileged information, talk to your security team or don’t take it with you if possible (this includes all electronic devices, not just phones).

If you have adult personal information on your devices, you might not want to travel with that.  There have been reports of issues with that being shared – unproven but reported.

On the other hand, Customs is charged with protecting us and I suspect that, in general, they try really hard to do just that.

If, however, you are a citizen who gets caught up in the dragnet, well, that is not a lot of phone.

Feel free to post your thoughts.  Source: Vice

 

 

 

Security News for the Week Ending December 21, 2018

Patches This Week

Microsoft issued an emergency out of band patch for an Internet Explorer zero day bug that affects IE 9, 10 and 11 on Windows 7,8,10 and the related server versions.  The bug allows a hacker to remotely execute code by getting a victim to view a web page, HTML document, PDF or other file that is rendered by IE’s scripting engine.  See details here.

The developers of the most popular database in the world based on the number of installations, SQLite, released a patch that fixes a bug that affects millions of distinct apps and billions of installations, including the Chrome browser on Windows, Macs, iPhones and Android devices.  Read the details here.

 

Taylor Swift Spies on Her Fans

In the turnabout is fair play department, Taylor Swift’s security team used facial recognition technology at (at least) one of her recent concerts to sniff out stalkers.  Using a kiosk of rehearsal videos with a spy cam embedded in it, Swift’s team took photos of everyone who watched the video and compared it to a database of suspected stalkers.  They did not report if they found any or what they did with the images after the concert. Since a concert is likely considered a public venue, customers probably have no expectation of privacy, so Swift would not need to disclose that she was using video surveillance.  Source: The Register.

 

Marriott Breach Traced to China

What do the Office of Personnel Management breach and the Anthem breaches have in common with the Marriott breach?  According to some sources, they are all traced back to China.  The Marriott breach is now being traced to China’s Ministry of State Security, China’s civilian spy agency.

Their objective is to build up massive dossiers on hundreds of millions of Americans to use in future attacks.  Like OPM, like Anthem, much of the Marriott data – like when you traveled, where you traveled, how long you stayed, who was at a particular hotel at the same time (mistresses, spies, information leakers and otherwise), all ages quite well.

All of this in spite of pressure being exerted by the Trump administration on China to stop hacking us.  Is the pressure just making them hack us even more?  Not clear, but it doesn’t seem to be helping much. (Source: the New York Times).

 

Muslim-American U.S. Citizen is Suing U.S. Government for Detaining Him at the Airport

A Muslim-American traveler was  detained at the Los Angeles airport (LAX) while trying to board a flight to the Middle East.  Customs asked him a bunch of questions, searched his luggage and wanted him to unlock his phone, which he initially refused.  He was handcuffed and detained for four hours and missed his flight.  When he asked if he was under arrest and needed a lawyer and was told no.  Eventually, after many hours, he relented and unlocked his phone.  CBP examined the phone and possibly imaged the phone.

Since he is a natural born U.S. citizen there are limits to what CBP can do, but it is interesting that he was leaving the U.S. and not entering it when he was detained,

He is now suing the U.S. government.  That is always a dicey deal, so I would doubt that this is going to go very far, but it is interesting.  Source: The Register.

 

Facebook Shared Your Data with 150 Partners Without Telling You

The Times is reporting that Facebook was sharing your messages, contact information and friends with around 150 vendors including Netflix, Spotify, Microsoft, the Royal Bank of Canada and many others.  Facebook says that they didn’t do that without users permission, but if they did ask for permission, it was not in a way that anyone was aware that they were granting it.  Facebook says they only did that to improve your Facebook experience (i.e. sell more ads) and that most of these programs have been terminated (since it was completely above board – not).  Facebook says this did not violate their 2012 consent decree with the FTC, but likely the FTC will decide whether that is true on their own.  Facebook did admit that this raises user trust issues.  Likely true.  Source: HuffPo.

Visit New Zealand – Fork Over Your Passwords or Risk Being Prosecuted

In what is thought to be the first country to do this, travelers entering New Zealand who do not turn over their phone passwords during searches could be arrested, prosecuted and fined more than $3,000.  This includes citizens and foreigners.

A New Zealand customs spokesperson said that the new fine is an appropriate remedy to balance individual’s privacy and national security.  I am not sure what the balance is here.

In many countries law enforcement can examine your digital devices, but it is up to them to figure out how to hack into them if you don’t unlock them.

I suspect that this will become a bit of a trend.

Once law enforcement has the phone, unlocked, you have to assume that whatever is on the phone – from nude selfies to business trade secrets – has been compromised.  There is no way to know whether that data is secure or not.  Given most government’s security track records, this is probably a sad reality.

In the case of New Zealand, the customs agent has to have some undefined suspicion of wrong doing in order to invoke the new law.

Things that you can do to minimize the pain –

Large companies that are concerned about security are giving their employees burner phones and burner laptops when they travel abroad.

These same companies require employees to get approval for any data files that they load onto these devices.

For private citizens, this applies as well.  Don’t take your laptop and buy a burner phone at Walmart or Best Buy and only load what you need.

Alternatively, store the data that you will need while abroad in the cloud, encrypted, download it while abroad, upload changes before you cross any borders and overwrite the deleted files with software like the free program CCleaner.

If you believe Snowden, intelligence analysts like sexy photographs and swapped them internally like baseball cards.  I would suspect that practice applies to customs agents as well.  If it isn’t there, they cannot do that.

It is likely that you will pass through customs unmolested – in the U.S. last year, customs only searched several tens of thousands of devices compared to the hundreds of millions of travelers –  but if you are concerned, there are some easy and inexpensive steps that you can take.

Source: NY Times.

 

Court Rules Warrantless Border Search Unreasonable

Many of you are aware that the Customs and Border Patrol has ruled that there is a 200 mile zone inside the U.S. where they can search your belongings without a warrant and without probable cause.

The Constitution does give Customs a lot of latitude for searches at the border – much more power than say, the police or the FBI have normally, but at least one court is saying this power is not unlimited.

If you think about it, a large part of the U.S. population lives within 200 miles of the border – Most of California, except the eastern part of the state, southern Texas, New York City, Boston, Washington, DC and a lot of other cities.  Customs has interpreted their powers to say that they can come up to you and search you and any containers you have with you without cause.  For the most part, the courts have upheld that power.  The government has said that your laptop or phone is a container that they can search under this doctrine.

In this case, the government had been trying to build a case that Jae Shik Kim was conspiring to sell aircraft technology illegally to Iran. I don’t know if he was or was not.  So, when Jae showed up at LAX to fly home to South Korea, the government decided that this was reason enough to seize his laptop and other computer equipment and fly it to a lab 150 miles away to examine it.  CBP likens this to opening your suitcase and looking for drugs.

A U.S. District court judge has ruled that this is unreasonable (see ruling) and violated his privacy.  This is just a district court so the government may appeal, but at least some judges are beginning to say that Custom’s powers are not limitless.

This has happened to a number a people,  Recently, Chris Roberts was picked up by the FBI for a tweet he made while on a United flight.  Chris is a security researcher and the feds did not like his tweet, although those in the security community didn’t think it was threatening.  The FBI took all his electronic goodies to examine them.

Chris, founder of One World Labs, a security firm, had all of his stuff encrypted, so it is unlikely the feds were able to extract much from his equipment.

The article talks about another programmer, David House, who also had his equipment taken by Customs.  In that case, the government eventually agreed that he did nothing wrong and agreed to destroy their copy of his data,

In general, encryption is your best defense against this kind of action.  If the encryption is good, then it protects you not only against your laptop being lost or stolen, but also against unreasonable searches.   To me, it is unclear why anyone would not encrypt their personal data.

As more data becomes mobile (phone, pad, laptop, cloud), encryption should be an important part of your arsenal for protecting it, wherever it goes.