Crossing Borders

#1

Recently, a Canadian journalist working for the CBC was selected for secondary while crossing the U.S. border to cover the Dakota Access Pipeline protests. He was held for six hours, questioned, had his devices taken, and was then denied entry. The full story is here:

The good news is that his devices were encrypted and he refused to decrypt them.

The bad news:

1.) The Keylogger Problem: The article makes clear that there was evidence that his devices had been tampered with, but it's unclear whether Ed Ou, the journalist, knew that he should never decrypt confiscated equipment, after it has been returned to you. Even if law enforcement is unable to access the encrypted data, they may modify your device to capture your disk encryption passphrase as you enter it, after you are released and once you believe that it is safe for you to do so.

2.) The Android Problem: The article doesn't mention whether Ou carried Android or iOS devices, but if he had Android devices, then unfortunately it is likely that law enforcement was able to access his data. Why? Android uses LUKS disk encryption, which is the same FDE technology that's used to encrypt most Linux systems. The problem is that LUKS' security relies heavily on the length of the user's passphrase. If it's short, it becomes fairly trivial to decrypt the drive. This is a problem on Android because Google chose to make the disk encryption and device unlock passphrase the same. So, if you choose a strong, 40 character disk encryption passphrase for you Android phone, then you will have to enter that every time that you want to unlock the screen. Unsurprisingly, almost no one does this. iOS solves this problem by mixing the user generated pin with a unique key generated by the device's secure enclave, which is a separate chip on the device. This way, you can have your easy to remember pin and eat your secure device encryption cake, too. Google can't implement something similar, because Android is device agnostic; Google doesn't make phones, they make a phone operating system, which should ideally work on as many phones as possible. As a result, Google has no easy route to solving this problem. In theory, a powered-down Android device with a 40 char passphrase is just as secure as a powered-down iOS device, but in practice no one has a 40 char passphrase.

In addition, there is a difference between how Android and iOS implement device encryption that is especially important. iOS implements file-level encryption, so that your device is encrypted, even if it is powered on. Android implements full disk encryption only, so that your device is only encrypted if it is powered off. Linux offers both LUKS (for full disk encryption, which Android uses) and ecryptfs (for file level encryption), but Android only implements FDE. Since most users rarely power down their phones, this seriously limits the practical benefits of Android's device encryption.

3.) The OPSEC problem. When he was pulled for secondary screening, law enforcement already knew that Ed Ou was traveling to cover the Dakota Access Pipeline protests. They ultimately denied him entry into the U.S., and his reporting was thwarted. This cuts to the heart of the dearth of adversarial thinking among most journalists. The privilege of the press is dead or dying. Anyone with a camera and an internet connection can report on things like protests, including protestors themselves (who produce most of the primary source stuff these days, anyway). Law enforcement sees journalists as no different from protestors, and treats them accordingly. It really doesn't matter whether you're an "activist" journalist or a just-the-facts style traditional skeptic, if you show up and record police tossing flash bangs at hippies, then from law enforcement's perspective, you are a part of the problem. It really doesn't matter how you personally feel about law enforcement. If you don't want your reporting to be thwarted, then you have to treat them as an active adversary. They already see you that way.

I've had a variety of interesting experiences crossing various borders in different parts of the world. Here are some things I've learned/things I would recommend.

Tips:

A. Don't telegraph operational intent. This was Ou's biggest mistake. Even if he had traveled without devices (or with clean, newly bought devices), U.S. Customs and Border Patrol had already made up their minds that they weren't going to let him into the country to cover the DAPL protests.

Unless you're traveling back to your home country or traveling withing the Schengen zone as a citizen of a Schengen country, you have no particular right to enter a country.

So, have a cover for status. Ou could have booked a holiday trip to NYC to visit relatives/friends, and generated cover traffic with his bosses at CBC ("I need some vacation days to visit my friends/family.") and with his relatives/friends ("I can't wait to see you this holiday season."). Plaintext emails can be your friends, sometimes.

Think this is nuts? Fine. Don't expect to cover stuff like #NODAPL or West Bank protests. You will never make it past customs. Treat the security services with the respect they deserve, especially countries with strong SIGINT capabilities, such as the U.S., Israel, and the UK.

B. Travel with newly bought equipment (for laptops, used hardware is fine, if you're a Unix person), or no equipment at all. Your equipment should be clean. Naked in, naked out.

C. Use iOS. Don't use Android. iPhones are expensive, so use an iPod touch if you need a clean mobile device.

D. Power down your devices before transiting customs.

E. If any of your equipment is confiscated, then dispose of it immediately. Assume it is compromised. Do not boot it, or enter passwords. Cut your losses and chuck it.

Since this is obviously pretty cost prohibitive, I recommend crossing borders with no equipment at all, even clean equipment. You can buy what you need in-country. Transiting with clean equipment is just an opportunity to lose money when your devices are confiscated. You can encrypt and upload your work files and contact details, so that you can access them once you're inside the country where you wish to report, or you can have a friend message you the information/files you need via end-to-end encryption, once you've gotten in-country and can purchase equipment (and sell it before departure, if you can, to recoup some of the cost).

If you absolutely can't afford to buy burner equipment, then maybe you could try having a friend mail your (encrypted, powered down) stuff in a way that's less likely to garner attention (have them book an Aibnb for you under their name, then mail it there, where you can pick it up). However, this is a gamble, since your package could have been opened without your knowledge.

Finally, if you absolutely can't spend money this way, there are ways to go cheap and still remain effective. Besides mailing your stuff, encrypting and uploading your files & zero filling your laptop's hard drive before crossing a border is also an option (if you know how to do that). You will want to re-install a clean commercial OS for your border crossing, otherwise a laptop that doesn't boot will look weird to customs.

Edit: Feedback appreciated. Is this useful or impractical for your use case? How do my experience/opinions jive with yours, or not?

#2

Thanks, Ethan!

#3

We have some advice on this the "Borders" part of Umbrella App:

Content is up here on our Github:

#4

Glad someone brought this up, because it definitely sets a worrying precedent. Ethan thanks for your post, lots of useful info. I'd like input from someone else about the first point:

OK, Ou could have come up with a cover story to disguise his intent, but is that wise? Once he started reporting from N.Dakota it would have been clear that he intentionally lied to border control - wouldn't that be a surefire way to get him denied access in to the US in all future scenarios? Seems like a big risk...

#5

Sorry, I didn't explain that well. I'm not suggesting that people lie to customs. If you give a reason for travel that is true, and omit your other reason for travel (and don't "telegraph" this second reason for travel), then you are more likely to get through. So, the hypothetical trip to visit friends/relatives would have to actually happen, in addition to the reporting.

If customs officers don't have a reason to ask you about something, then you can't be accused of lying to them afterward.

Otherwise, it'd kind of difficult, right? For the most part, one only has a right to entry in one's own country. If what you're reporting on is anathema to the people who control the border, whether in the U.S. or abroad, then it's a tricky situation.

Maybe someone else can chime in with experience or tips crossing borders? There are plenty of places where this is a problem. If I were a journalist, I wouldn't want to have to tell Turkish customs that I'm going to report from the Kurdish semi-autonomous zone, for example.

#6

Here's an interesting report from The Washington Post: a NASA/JPL employee in the "Global Entry" program was detained at the border after a vacation in Chile. He was forced to supply the access code to the NASA phone:

#7

Here's a follow-up article:

#8

What are all of your thoughts on this?

#9

So the problem with cover stories are that they are really hard and people completely mis-underestimate how much practice and thought goes into doing them well. We cover this in some of our training courses for journalists and activists and it's really amazing how many think you can just come up with stuff on the fly or without significant practice - then within minutes we always manage to break down the story. I'm swamped at the moment but if I find the right place or publication I will try and turn our cover story advice into an article and publish it.

#10

Something I think that is getting missed about all this is that a lot of people are being very US and techno-centric when they create these articles. Security is about more than just digital issues! Threat modelling is really very limited in this context and a lot of people writing them seem to lack operational experience getting into the nitty gritty details of what effects this may have open different audiences in the field.

Doing something like this requires that you consider the risks of your phone seizure versus the risks you may face without your primary smart phone. If your an activist flying from London to D.C then fine. But what about if your an activist flying from D.C to the DRC and back - then your threat model changes from potential TSA problems to physical security threats.

For just one example of this, let's say you ask people to ditch their phones and take a burner because of a potential risk at the US border. Now you have removed one of the best devices for the person's physical security - a smartphone that can update people about security alerts, about local news, weather, disease risk, riots (e.g the stuff in the Umbrella App dashboard), share data amongst groups of people on the ground, can send GPS alerts in a emergency, can help them navigate if there is a problem, has a flashlight on it in darkness, has access to emergency contact details, insurance information, medical data, nearest hospitals etc. Now, your relatively low likelihood/low impact potential digital security risk at a US border has overridden the low/medium likelihood but high impact physical security risks...Ditto even basic tactical things like people are lazy, data is expensive and they will often not bother to restore the most important contacts and information that they may need when they travel, which can be a problem in an emergency...

It's the little tactical nuances in physical and digital threat modelling and implementation like these have been the difference between life and death on occasion.

#11

Recent articles (one of which I posted above) suggest that you do so at your own risk. Of course, crossing the US border now regardless of any other consideration seems to entitle risk (if you're foreign born) and endless annoyance (anyone).

#13

Heading to NICAR next week and I was excited to see if this thread contains a practical checklist for crossing international borders in 2017. Instead, the only recommendation seems to go full Amish.

Travelling with a computer is not a choice for me, and I only have so many of them. Travelling while doing journalism is part of my job description, so leaving all sensitive material at home and inaccessible doesn't really work either.

I think a more practical approach, making real-life trade-offs of security and practicability is needed here.

#14

It's a hard problem to solve.

This is the easiest checklist I could come up with that doesn't expose your data to customs or to a cloud provider:

  1. Buy a MacBook Air and an iPad mini 2 (don't worry, we'll be returning these later).

  2. Put the files you need on the MacBook via USB. Transfer these files to the iPad. Perform an encrypted backup of the iPad, using iTunes on the MacBook. Obviously, do not sync to iCloud.

  3. Upload the encrypted backup of the iPad to Dropbox.

  4. Erase the MacBook's disk. Do a factory reset on the MacBook. Return the MacBook for a full refund.

  5. Erase your iPad, go to Settings > General > Reset and select Erase All Content and Settings. Do a factory reset on the iPad. Return the iPad for a full refund.

  6. Fly to your destination without any devices.

  7. At your destination, buy a MacBook Air, an iPad mini 2, and an external keyboard for the iPad. Download your encrypted backup file from Dropbox, and restore your backup to your new iPad with the backup.

  8. Do journalist things, using the iPad with the external keyboard.

  9. Perform an encrypted backup of your iPad and upload the encrypted backup to Dropbox. Erase the MacBook's disk. Do a factory reset on the Macbook and return it for a full refund. Erase your iPad: go to Settings > General > Reset and select Erase All Content and Settings. Do a factory reset on your iPad. Return the iPad for a full refund.

  10. Fly home, without any devices. Once home, buy a third MacBook Air and iPad mini 2. Download your encrypted backup from Dropbox and restore your iPad. Transfer your files from the clean MacBook to your normal working laptop, via a new USB. Erase both the MacBook and the iPad. Perform a factory reset on the MacBook and the iPad. Return the MacBook and the iPad.

Dollars spent == 0

Hassle == kind of a pain

Technical knowledge required == normal Apple user things

Thoughts/feedback/reactions?

Caveats:

-This won't work if there is no Apple store where you are going. Workarounds could involve getting a local contact to order a MacBook Air and an iPad mini 2 with a keyboard for you, so that they would be available when you arrive.

-Although technically free, this method requires substantial up-front funds to float the equipment purchases, before everything is returned.

-The passphrase you use to encrypt your iPad backup must be strong (about 40-50 characters). iPad/iPhone backups using iTunes are encrypted using AES, which is a symmetric encryption cipher. The strength of the encryption is directly dependent upon the strength of the passphrase. This is not true of your iPad/iPhone disk encryption, because these devices use a "secure enclave" (similar to a trusted platform module or TPM) to perform encryption/decryption. As a result, forensics technicians cannot just image an encrypted iPhone, put the encrypted image on dedicated hardware (a fast computer), and use that hardware to accelerate the process of guessing the unlock code. Functionally, this means that a 10 character pin is safe on an iPad/iPhone, but would not be safe on an encrypted Android phone, Linux laptop, or your encrypted iPad/iPhone backup, all of which use AES (basically), without a "secure enclave." Since you will be exposing your encrypted iPad backup in the cloud, on Dropbox, you must choose a strong (40-50 character) passphrase.

Pro tip: Recruit different friends to purchase the Apple gear for you, because if you return a lot of things to Apple, they may get wise to your cheapskate moves and bar you from returning things to them in the future. Most retailers track returns. Not a security issue, but just FYI.

Bonus points: Consider "pair locking" your iPad to your "in country" MacBook Air, after you arrive at your destination and purchase these devices. This will block most forensic tools from connecting to your iPad.

More info on pair locking here.

Consider using a self-hosted VPN for your iPad and your MacBook Air, while you are traveling abroad. Algo, from Trail of Bits, is great.

#15

Sorry @ethannorth but I think your last example is probably not really reflective of a real workflow on a trip and the amount of time and effort someone would actually have on the ground to do this stuff.

I mean adding up all the stuff here (going to a shop twice or asking friends to buy you hardware, uploading massive files, downloading massive files - especially in the field where connections can be crappy, installing, wiping) looks like take a hefty chunk out of at least one if not two days (especially during the day when a shop is open but you also need to be doing most of your journalist stuff) to do this.

Upload the encrypted backup of the iPad to Dropbox...Since you will be exposing your encrypted iPad backup in the cloud, on Dropbox, you must choose a strong (40-50 character) passphrase.
Perhaps adding an extra layer of security with https://cryptomator.org or a e2e tool like SpiderOak or something instead. Or just stick in into well encrypted VeraCrypt file.

This won't work if there is no Apple store where you are going.
So that's really most of Asia and Africa ruled out.

Workarounds could involve getting a local contact to order a MacBook Air and an iPad mini 2 with a keyboard for you, so that they would be available when you arrive.
Problematic as ordering in non-Apple served places can often take weeks. Also, based on my experiences in Asia, Africa and some bits of Latin America/East Europe - there is a huge amount of fake hardware, up to 50%. Which is a big security problem in itself.

While I get that the TPM issue, I think a slightly easier workflow (and the only one that I've ever really seen used a lot) that balances between time, security, cost and effort is:

  • Backup your stuff at home
  • Select the information you really need to travel with. Encrypt it using your preferred method (VeraCrypt, Cryptomator, SpiderOak etc)
  • Upload it somewhere that you trust
  • Wipe your Windows/macOS/Linux/Android/iOS or whatever device
  • Go through border
  • Get to place
  • Download the stuff you need using secure method - VPN etc
  • When finished, do the process in reverse

There's obviously other things to think about like counter-tampering issues in hotels, possibly changing accounts that may have been used on public networks, having an external throw away email in case you need to print stuff, USBs etc but just wanted to keep it simple

Is there some trade-offs in this, yes absolutely. But it's probably about the most that anyone is really willing to do.

#16

That's fine and sensible as long as people know that securely erasing devices is hard, so there is a non-zero chance that data you thought you erased is recoverable (so perhaps it's not fine or sensible).

Physical confiscation of a device whose owner was forced to decrypt it is the worst case scenario, where the forensics person has the greatest advantage. So, if sensitive information was previously stored on the device, then this could be a problem.

Beyond that, if the device leaves your sight during a search, or if customs performs a forensic examination of the device in your presence (plugging their equipment in, versus just manually browsing though your stuff), then you can't use it anymore. I certainly would not trust a device that has examined in that way, nor would I rely on a wipe & OS re-install to render it clean.

That said, if customs sticks to manually looking through your device, then what you outlined is fine... but there is no guarantee that they will.

I recommended the iPad because of the excellent security it offers, versus a Mac or Windows laptop, both in terms of app sandboxing and easy-to-use, yet effective disk encryption.

Personally, I don't cross borders with devices. I haven't done so for years, because borders are terrifying. However, I also don't follow my own advice here. I buy a cheap used Thinkpad after I arrive, replace the RAM so that the performance is good, and then run a hardened free OS (Qubes is nice, but that's just my personal preference). Before I leave home, I compress whatever files or passwords I need into a tarball, symmetrically encrypt that with GPG, and upload it to Dropbox. I do cross the border with a bootable USB that has just a Qubes image, only because making bootable USBs without dd is a pain. I use dd to zero fill the drive before I make the return trip, and then sell the machine or leave it as a gift for whomever I stayed with (after installing Ubuntu so that I don't leave them with an unusable computer). I don't spend more than $200 on the laptop, and I could spend under $100 if I cared less about RAM.

If I couldn't count on buying a cheap used laptop where I was going (which isn't typically the case, so I appreciate that your situation may be different), I would probably buy a cheap Thinkpad before departure, yank the HD, and live boot Tails. Honestly though, there are few countries where you can't buy a used laptop that will run Tails (which is much less RAM intensive than Qubes).

My checklist was an attempt to make a more usable version of this same idea, since I don't think it's reasonable for most journalists to learn how to install their own operating systems or wipe disks with common Unix commands. So, while technically far easier, I certainly agree that my checklist is also logistically intensive.

A more manageable version of the checklist could be:

  1. Buy MacBook and iPad at home. Put the files you need on the Macbook, transfer to the iPad, create the encrypted backup file and upload it to Dropbox. Return both items.

  2. While still at home (in the same trip to the Mac store!), buy a second (totally clean) Macbook and iPad, with an external keyboard for the iPad.

  3. Travel to your destination. If you are asked to unlock your devices, comply. As long as the devices don't leave your sight, and no forensics equipment is plugged in, they are fine.

  4. Arrive, download your encrypted backup and restore the iPad. Do journo things.

  5. Before your leave, create and upload an encrypted backup, wipe both devices, and sell both devices.

  6. Fly home with no devices. Restore your backup on a new iPad. Return the iPad.

This would at least eliminate the logistical scrambling during the trip.

Perhaps adding an extra layer of security with https://cryptomator.org or a e2e tool like SpiderOak or something instead. Or just stick in into well encrypted VeraCrypt file.

All of these tools use AES symmetric encryption, so you would still need a 40-50 character passphrase. Some of these tools use better key derivation functions than others. Key derivation functions take your passphrase and stretch them into longer, more secure keys, before these keys are used to encrypt your data with a symmetric cipher, such as AES. Apple recently chose a weaker key derivation function for encrypted backups in iOS 10, but fixed the issue with a security update in iOS 10.1. Cryptomator, which I hadn't heard of, uses scrypt for key derivation, which is a good choice. Either way, you're still going to need a secure, lengthy passphrase if you are going to use it for symmetric encryption, whether that is for the disk encryption on your laptop, or whether you're encrypting a backup or archive to store on a cloud provider like Google or Dropbox. A good way to make memorable, long passwords is with diceware.

Securely erasing data from a hard drive is difficult. When GCHQ came to the Guardian's offices to securely erase data they cared about, they brought angle grinders. They're not paranoid, they only take defensive security measures that match offensive capabilities they possess.

Simply wiping your machine and attempting to go through customs could end badly for you, if your machines end up in a forensics lab, subjected to strict scrutiny.

If you choose to cross a border with a wiped device, as @rorybyrne suggests, then you should absolutely not decrypt that device if customs demands it. You will need a strong disk encryption passphrase (40-50 characters for laptops, 10 for iOS). They will probably confiscate your devices, but you will still have your encrypted backup in "the cloud." Don't rely on erasing data from the hard drive to protect you against a forensic search.

Personally, I would rather avoid this kind of confrontation, especially since customs has many tools at their disposal to punish you for not decrypting your devices. Detention, strip searches, and cavity searches can be used on the flimsiest pretexts (of course, they will say that they did this because they suspected you might be smuggling drugs, not to punish you for not cooperating, they would never do that). Relying on disk encryption as your line in the sand puts you in a vulnerable situation, in other areas.

For what it's worth, Tech Solidarity recently released a good security guide, and they also advise: "Don't take devices across the US border."

I very much agree with them. I think that taking a device, wiped or not, across the US border is a bad idea.

#17

Short version:

  1. Don't travel with your primary devices. Buy travel devices. If you can work off of an iPad with an external keyboard, consider doing so. A Chromebook is also a reasonably secure platform, if you can do your work safely while sharing your work product with Google.

  2. If you are comfortable with refusing to decrypt your devices, then encrypting + uploading your files and wiping your devices before you cross the border, as @rorybyrne suggests is OK. DO NOT wipe your devices and then decrypt them for law enforcement. If you're confused about why this may not go well, please read this and get back to me.

  3. If you are concerned about potential consequences for refusing to decrypt a device at a border, then do not travel with a device. Encrypt the files you need, upload them, and then either purchase a device when you arrive or travel with a new, clean device.

  4. Disk encryption passphrases for laptops or encrypted archives you intend to upload must be 40-50 characters. Unlock passcodes for iOS devices with a secure enclave (recent models) can be 10 characters.

#18

@grugq wrote a thing:

Aside from traveling without devices, which I think is your best option if you can't afford dedicated travel equipment, I mostly don't disagree with anything there.

On lying versus true cover stories: I agree that lying is a bad idea and that you shouldn't try that.

Conversely, it's not necessary to tell every truth under the sun about your trip. For example, it is not uncommon for some left-leaning Jewish U.S. citizens to take their birthright trip to Israel, but use it to protest the occupation of the West Bank. Now, when transiting customs, you obviously do not want to lie to the Israeli authorities. On the other hand, why volunteer that you're going to Israel to protest? "I'm doing my birthright trip," is true and sufficient.

Translating this to a journalist's role: if you're going to Israel (or anywhere else, for that matter), leading with: "I am going to your country to provide favorable coverage of opposition and dissident groups," is probably not a good thing to tell customs.

Don't lie. Don't treat a border interrogation like a tell-all therapy session, either.

#19

Wire Swiss, the company that makes the encrypted messaging app Wire, also wrote a journo-crossing-borders guide:

They also recommend a dedicated, clean, travel device. The only thing I would add is: make sure not to take the device back home with you.

No one seems to think that wiping a device and decrypting it at the border is a good idea, I might point out.

I get that buying dedicated travel devices is expensive (as is buying a device when you arrive). Learning how to make a live-bootable Tails USB and then downloading an encrypted archive, after you cross the border, is also a pain and involves learning things. Unfortunately, it's a hard problem to solve.

If you're mad about how inconvenient the "secure" suggestions are, then donate to the ACLU. Infosec is just a means to an end. Tech is a tool, not a solution in and of itself.

#20

On lying versus true cover stories: I agree that lying is a bad idea and that you shouldn't try that.

I would suggest that 99.9% of people shouldn't. Though there are some cases that we've worked through with some activists and journalists - getting them into places where it was absolutely required (we're not talking about USA here by any means). It takes a long long loooooonnngg time to do this correctly. It's a combination of extensive training (weeks at a minimum usually), personal ability, discipline, courage, building the back story, pattern of life, testing under extensive pressure, attention to detail, clothing/appearance, pocket litter, reconaissance etc. Even then it could fail. Certainly it's not something that should be thought up on the back of an envelope. I think that's should be the message. Not every "crossing borders" issue is a US one. Also, there is a very big difference between an alibi and a cover-story, the terms are not interchangeable, nor are their deployments, creation and use cases.

#21

Was this entire "Crossing Borders" thread helpful to anyone here?

If so, what was helpful?

If not, what was impractical or unhelpful? What could be improved?

Which parts of this thread do you disagree with or think wouldn't work, based on your experience?