In my last column, I introduced the issue of crossing U.S. borders with encrypted data and advised corporate users to think carefully about whether to do so. Today I want to discuss the implications of the way the U.S. Customs and Border Protection (CBP) service is demanding decryption keys from travelers and seizing portable electronic devices.

In February, the Electronic Freedom Foundation and the Asian Law Caucus sued the U.S. Department of Homeland Security for “release of agency records concerning CBP’s policies and procedures on the questioning, search, and inspection of travelers entering or returning to the United States at ports of entry.” 

We have now lost the benefits of strong disk encryption when crossing U.S. borders. A bureaucrat can demand our encryption key and seize our computers with no way to prevent the seizure or even to demand (let alone receive) an explanation of that demand.

How do we ensure chain of custody if there’s no available documentation, even under court order? How do we ensure protection of confidential corporate data if the rules of investigation are undocumented? Judging by the resistance of the USBCI to demands for information about their investigative process, the border entry points have become a constitutional-protection-free zone.

Corporate information about new products, new marketing plans, new business strategies and even detailed customer records may be worth millions to competitors. Do you really want to entrust such information to people who are entirely without judicial oversight? How much do you think a border agent earns in a year? How much do you think an industrial spy would be willing to pay for some of your corporate secrets? For that matter, how much do you think ordinary criminals would be willing to pay for personally identifiable information on your encrypted - and now decrypted - hard drive? Why would anyone assume that a secret process, closed to judicial or indeed any form of external oversight or control, is necessarily secure and immune to corruption? Faith? Hope? Patriotism defined as subservience to power?

It seems to me that we are experiencing a level of unchecked government intrusion that justifies a corporate policy dictating that employees, whether U.S. citizens or not, should not carry any confidential corporate data at all on their laptop computers unless they feel like having unnamed judicially uncontrolled agents of the U.S. government examining company information.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services. CV online.