Recently we at the EFF have been trying to fight new rulings about the power of U.S. customs. Right now, it’s been ruled they can search your laptop, taking a complete copy of your drive, even if they don’t have the normally required reasons to suspect you of a crime. The simple fact that you’re crossing the border gives them extraordinary power.
We would like to see that changed, but until then what can be done? You can use various software to encrypt your hard drive — there are free packages like truecrypt, and many laptops come with this as an option — but most people find having to enter a password every time you boot to be a pain. And customs can threaten to detain you until you give them the password.
There are some tricks you can pull, like having a special inner-drive with a second password that they don’t even know to ask about. You can put your most private data there. But again, people don’t use systems with complex UIs unless they feel really motivated.
What we need is a system that is effectively transparent most of the time. However, you could take special actions when going through customs or otherwise having your laptop be out of your control.
One idea would be to put the decryption key on a removable device that nonetheless lives in the laptop. For example, many laptops have a card reader, and you could put the key on a card that stays there and has to be there for boot, or perhaps once a day. Take the card with you when leaving the laptop somewhere it might be stolen, like the faceplate of an old car radio.
When approaching customs, you must do more. You would actually command the computer to erase the card, and then shut down. The disk would include a small, unencrypted OS to let you perform basic functions but not get at your data. After you cleared customs, you could go get a copy of your key from a backup server, or do some other key recovery process that’s not possible while at customs. Until then, you could not get at your data yourself.
Another interesting place to store the key would be on your bluetooth cell phone, or IRDA or wifi PDA. When your laptop boots, it would communicate with the portable device, authenticate to one another and then receive the key. The user wouldn’t see this, as long as the phone was with them when they booted. They need barely know the system is there. When going through customs, one could erase the key on the phone before going through, or even do it on the fly if something fishy is going on. (Though there may be some risk to that.)
This is similar to systems already sold which have a radio keychain dongle which is needed to use the computer. However, those devices don’t have an “erase the key” function to disable them.
An unanswered question is whether customs has the power to force you to do a key recovery of the sort you would plan to do when you get home. If the key is at your home I doubt they have any power to get it. If it’s fetchable online, they might try to make you go through that procedure. If you want the full strength, it would require a system where you can’t see your data yourself until you get to your home or office. And for visitors, with no home or office to have stored a key at, online escrow is the only option. One might need an escrow agency that refuses to give you the key if you’re under duress.
Depending on your ability to refuse to provide keys, the computer could simply be put in a mode where a complex password is needed on the next boot, while normally not needing such a password. One must of course be careful to design the security system so the key is not left around on disk or RAM in unexpected places.
Finally there is the question of obstruction of justice. Normally, destroying “evidence” when you know that it might be wanted by legal authorities is a felony. You can’t shred the incriminating documents while the cops are banging at the door. You would not be able to destroy the key if you knew you were the subject of a criminal investigation.
But this customs search is a new animal. The whole reason we’re bothered by it is you are not under investigation for any clear reason. As such it will be interesting to see whether key destruction is obstruction of justice when done before a search that has no tranditional grounds for suspicion. However, my main point is that in order to get people to use disk encryption, you need something that has no visible UI most of the time, but still protects the data when it needs to.