Bordering on insanity

The long view of security strategies for your network.

In my last column, I introduced the issue of crossing U.S. borders with encrypted data and advised corporate users to think carefully about whether to do so. Today I want to discuss the implications of the way the U.S. Customs and Border Protection (CBP) service is demanding decryption keys from travelers and seizing portable electronic devices.

In February, the Electronic Freedom Foundation and the Asian Law Caucus sued the U.S. Department of Homeland Security for “release of agency records concerning CBP’s policies and procedures on the questioning, search, and inspection of travelers entering or returning to the United States at ports of entry.” 

We have now lost the benefits of strong disk encryption when crossing U.S. borders. A bureaucrat can demand our encryption key and seize our computers with no way to prevent the seizure or even to demand (let alone receive) an explanation of that demand.

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

In my last column, I introduced the issue of crossing U.S. borders with encrypted data and advised corporate users to think carefully about whether to do so. Today I want to discuss the implications of the way the U.S. Customs and Border Protection (CBP) service is demanding decryption keys from travelers and seizing portable electronic devices.

In February, the Electronic Freedom Foundation and the Asian Law Caucus sued the U.S. Department of Homeland Security for “release of agency records concerning CBP’s policies and procedures on the questioning, search, and inspection of travelers entering or returning to the United States at ports of entry.” 

We have now lost the benefits of strong disk encryption when crossing U.S. borders. A bureaucrat can demand our encryption key and seize our computers with no way to prevent the seizure or even to demand (let alone receive) an explanation of that demand.

How do we ensure chain of custody if there’s no available documentation, even under court order? How do we ensure protection of confidential corporate data if the rules of investigation are undocumented? Judging by the resistance of the USBCI to demands for information about their investigative process, the border entry points have become a constitutional-protection-free zone.

Corporate information about new products, new marketing plans, new business strategies and even detailed customer records may be worth millions to competitors. Do you really want to entrust such information to people who are entirely without judicial oversight? How much do you think a border agent earns in a year? How much do you think an industrial spy would be willing to pay for some of your corporate secrets? For that matter, how much do you think ordinary criminals would be willing to pay for personally identifiable information on your encrypted - and now decrypted - hard drive? Why would anyone assume that a secret process, closed to judicial or indeed any form of external oversight or control, is necessarily secure and immune to corruption? Faith? Hope? Patriotism defined as subservience to power?

It seems to me that we are experiencing a level of unchecked government intrusion that justifies a corporate policy dictating that employees, whether U.S. citizens or not, should not carry any confidential corporate data at all on their laptop computers unless they feel like having unnamed judicially uncontrolled agents of the U.S. government examining company information.

Oh - and watch out for your password safe; maybe it would be a Good Thing to wipe that as well if you are uncomfortable handing your bank account access codes to a total stranger.

On a personal note, I think my confidential, PGP-encrypted data might be at risk when I cross the U.S. border. I’m a non-Christian (gasp!) former Canadian (horrors!!) with a name like “Kabay” (Father was “Kabashnikoff” until 1932) (ack!!!). I’m a Life Member of the NAACP and I carry an ACLU membership card in my wallet (so I can claim to be a CCMACLU). I must be a threat to the security of the United States. Gosh, perhaps I should be wiping my university laptop’s hard disk of all client, student and confidential university data and disabling the PGP encryption software on the system before I take the computer out of the country from now on. And I should warn my colleagues in the IT group to be prepared to provide me with a nice replacement computer on demand after any trip abroad just in case someone decides to keep it indefinitely without explanation.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.