A near-ZUI encrypted disk, for protection from Customs

Recently we at the EFF have been trying to fight new rulings about the power of U.S. customs. Right now, it's been ruled they can search your laptop, taking a complete copy of your drive, even if they don't have the normally required reasons to suspect you of a crime. The simple fact that you're crossing the border gives them extraordinary power.

We would like to see that changed, but until then what can be done? You can use various software to encrypt your hard drive -- there are free packages like truecrypt, and many laptops come with this as an option -- but most people find having to enter a password every time you boot to be a pain. And customs can threaten to detain you until you give them the password.

There are some tricks you can pull, like having a special inner-drive with a second password that they don't even know to ask about. You can put your most private data there. But again, people don't use systems with complex UIs unless they feel really motivated.

What we need is a system that is effectively transparent most of the time. However, you could take special actions when going through customs or otherwise having your laptop be out of your control. One idea would be to put the decryption key on a removable device that nonetheless lives in the laptop. For example, many laptops have a card reader, and you could put the key on a card that stays there and has to be there for boot, or perhaps once a day. Take the card with you when leaving the laptop somewhere it might be stolen, like the faceplate of an old car radio.

When approaching customs, you must do more. You would actually command the computer to erase the card, and then shut down. The disk would include a small, unencrypted OS to let you perform basic functions but not get at your data. After you cleared customs, you could go get a copy of your key from a backup server, or do some other key recovery process that's not possible while at customs. Until then, you could not get at your data yourself.

Another interesting place to store the key would be on your bluetooth cell phone, or IRDA or wifi PDA. When your laptop boots, it would communicate with the portable device, authenticate to one another and then receive the key. The user wouldn't see this, as long as the phone was with them when they booted. They need barely know the system is there. When going through customs, one could erase the key on the phone before going through, or even do it on the fly if something fishy is going on. (Though there may be some risk to that.)

This is similar to systems already sold which have a radio keychain dongle which is needed to use the computer. However, those devices don't have an "erase the key" function to disable them.

An unanswered question is whether customs has the power to force you to do a key recovery of the sort you would plan to do when you get home. If the key is at your home I doubt they have any power to get it. If it's fetchable online, they might try to make you go through that procedure. If you want the full strength, it would require a system where you can't see your data yourself until you get to your home or office. And for visitors, with no home or office to have stored a key at, online escrow is the only option. One might need an escrow agency that refuses to give you the key if you're under duress.

Depending on your ability to refuse to provide keys, the computer could simply be put in a mode where a complex password is needed on the next boot, while normally not needing such a password. One must of course be careful to design the security system so the key is not left around on disk or RAM in unexpected places.

Finally there is the question of obstruction of justice. Normally, destroying "evidence" when you know that it might be wanted by legal authorities is a felony. You can't shred the incriminating documents while the cops are banging at the door. You would not be able to destroy the key if you knew you were the subject of a criminal investigation.

But this customs search is a new animal. The whole reason we're bothered by it is you are not under investigation for any clear reason. As such it will be interesting to see whether key destruction is obstruction of justice when done before a search that has no tranditional grounds for suspicion. However, my main point is that in order to get people to use disk encryption, you need something that has no visible UI most of the time, but still protects the data when it needs to.

Comments

As usual, great analysis and consideration of options. I do use a TrueCrypt partition for some data, but I agree...it's not simple enough to breach most people's activation threshold. Very interesting ideas here.

I'm starting to REALLY get concerned about some of the "privacy vs. security" tradeoffs that people now just shrug and accept. I wonder when we reach the point of "very difficult to return from". I do actually believe/hope that we will swing back from this, but I expect it will take a crisis, Watergate-style, to highlight the abuses and potential problems sufficiently.

Nice article, and I'm glad someone is taking a serious look at the problem. I have an idea, and some additional analysis.

The idea: Use a physical key, and send a duplicate key ahead via FedEx or some other delivery service rather than trying to travel with a key. That won't protect you if you've been specifically targeted by the authorities (since the key could be intercepted enroute), but it will frustrate fishing expeditions.

The analysis: In many developed countries, the threat is unique to the short time after you've physically crossed the border but before you've cleared customs. Once you clear customs, if the authorities want to compel access to your laptop, they need a warrant or some other specific legal authority (under normal circumstances--I'm considering the case of a businessperson or lawyer who has sensitive documents, not the case of someone who might attract scrutiny from agencies more accustomed to operating outside the law). So for many travelers, a sufficient level of protection needs only to deflect the customs agent's attention enough to get cleared. Customs can't go back and demand access once a traveler has passed into the country (in many countries).

The catch is that any obvious protection or encryption will, in itself, attract the attention of customs, and in some backward places (like the United States), Customs can detain you indefinitely until they're satisfied you've handed over all the goods. Any scheme which is visible to a customs agent is likely to cause great problems to the traveler: it's like trying to clear customs while carrying a welded-shut steel box. They will be intensely curious as to the contents of the box, and don't expect to go anywhere until someone fires up a cutting torch.

So what you really need is a combination of encryption plus the electronic equivalent of a cloaking device.

Ideally, the computer should function perfectly normally if booted or accessed without the special key, but sensitive files simply won't appear in the filesystem. Unless customs is specifically targeting you, this should get you safely through (and even if they make you leave a disk image behind, the encryption should protect the secrets against a more detailed analysis).

If you're ready to think about doing the fedex, you're already in the highly prepared minority. The real solution is something that takes minimal thought. The cell phone approach is good because it's also a great anti-theft. If you turn on the laptop in the presence of your enabled bluetooth device, it just works like now. If you turn it on without that device on and nearby, it can't access your encrypted data.

The goal here is that this isn't very common, so customs doesn't know to demand your laptop and your phone, or your laptop and your bluetooth key fob. Which gives you a short time in which to execute the command on your phone or fob to erase the key.

Indeed, you could even get to the point where, if the laptop is running, the command from the phone via bluetooth tells it to erase the key and shut down. However, it is an open question if this is obstruction of justice or not.

The main point is most people -- this is for innocent people after all -- will not remember to follow any special procedures before they get into customs. If they can legally follow a procedure after they get into customs, or after their laptop is taken, that's what works. The same applies to theft.

Note that this requires a phone that is always on and ready for bluetooth whenever you turn on your PC. Not all phones are that way, but many are.

I think ST's comment above sums it up: any obvious protection or encryption will in itself attract the attention of customs, and in some places Customs can detain you indefinitely until they're satisfied you've handed over all the goods.

The problem is not hiding the goods, the problem is getting through customs. That means being a sufficiently good smuggler that Customs don't know and are extremely unlikely to discover that there are hidden things. It's not enough to simply hide them and say "ha ha I win". So work-arounds like hidden partitions and the internet remain the most effective way for data that you really do want to get through.

AFAIK Customs always have the option of simply saying "no, you can't bring that in". At which point you can turn round or sometimes they let you dispose of the objectionable item. It's extremely unlikely that they will let you through after failing to obtain decrypted data that they've asked for.

My solution is simply not to travel to states with poor politics, like China and the US. That's cost me one possible job so far but I'd rather lose a job than my life. Unfortunately both the US and UK have demonstrated that China and Burma etc really have nothing to worry about when freeing up their media, torture and disappearance still work just fine in a "free" country. This is just another example...

Right now, attempts to seize laptops without cause are quite rare. But they should be zero. However, I enter the USA (I am not a US citizen) several times per year and for most people it's not a bad process. That doesn't mean we should not try to stop the excesses but I wouldn't give up work in the USA because of it, not even close yet.

I just would like to see a disk encryption system to protect you from both laptop thieves and customs seizures that is so easy to use that there is no reason not to use it. The downside is you might forget to lock it a few of the times you need to, but that's better than one so hard you never use it at all.

If you have data you don't want customs to see why would you carry it with you? Why not just store it on a server (in a data center, back at home, anywhere) and access it as you need to (via an encrypted link, of course). Or maybe the encrypto gadgetry is just more fun :-)

Moz (above) is right that the real problem is getting through customs. Continuing his thought process, one realizes that it would be very difficult to design a product that both protects your data and is invisible to Customs. Once any product becomes even a little popular, customs will know to look for it specifically. Determining whether you have AntiCustoms Disk Proptection installed on your system will probably far easier to answer than the question of what you have encrypted, but once they determine that you have "something to hide", your life can quickly become miserable regardless of what that something is.

So, I don't yet see a lot of hope. While technically-knowledgable people can invent personal systems that customs won't find, I don't see how the majority of people could benefit from this. In fact, having a "benefit" like this only available to a few people becomes an impetus in its own right to declare it illegal.

What's on encrypted hard disks is none of their business. I am a crytographer, cryptanalyst for a government, and all my computers and laptop are encrypted with high levels of security and encryption. There is no way customs of any country would have me decrypt one of my laptops, ever. Because doing so would have me sent to prison for life in my country, as high treason charges. Some companies work in special areas (weapons, and high level industrial secrets) and do encrypt laptops that leave the company.

Add new comment