I've been rethinking my personal threat model due to wholesale scanning of electronic devices at the U.S. border. I think I've figured out a few things that I can use that might be useful for others.
The problem is this: Currently, Customs and Border Patrol (CBP) is scanning devices, but they are not scanning data that's not on the device or not directly reachable with the device. This is due to their interpretation of Riley v. California -- a U.S. Supreme Court decision that said that law enforcement can't use credentials found on the phone to gather additional data without a warrant. If they're suspicious (or if you annoy them), they can seize your phone. So, I need to be sure that my phone is "disposable" and I won't lose any critical data.
Wiping my phone might work, but there's some information that I'd like to install on my phone before I leave (phone numbers of people I'll be visiting, for example), and if searched, a wiped phone is very suspicious. Instead, I'm planning to use a new "US Only" account that will have phone numbers for the people and hotels I'll be visiting and little else. I can survive with that until I return. I keep most of my passwords in a password manager, so if I've forgotten anything, I can install the password manager and retrieve my passwords after I've crossed the border.
One thing that becomes much more complicated is two-factor authentication (2FA). I don't want to use something like Google Authenticator that stores keys on the phone, because then I won't be able to log in to anything if my phone is lost. Fortunately, I use a Yubikey for 2FA whenever possible. So long as it's not seized (Since I'm a US citizen, they'd really be stretching their legal authority to try), I should be able to keep using it. If not, I've configured my accounts to use a second Yubikey that I'll leave at home.
My process will look like this:
The problem is this: Currently, Customs and Border Patrol (CBP) is scanning devices, but they are not scanning data that's not on the device or not directly reachable with the device. This is due to their interpretation of Riley v. California -- a U.S. Supreme Court decision that said that law enforcement can't use credentials found on the phone to gather additional data without a warrant. If they're suspicious (or if you annoy them), they can seize your phone. So, I need to be sure that my phone is "disposable" and I won't lose any critical data.
Wiping my phone might work, but there's some information that I'd like to install on my phone before I leave (phone numbers of people I'll be visiting, for example), and if searched, a wiped phone is very suspicious. Instead, I'm planning to use a new "US Only" account that will have phone numbers for the people and hotels I'll be visiting and little else. I can survive with that until I return. I keep most of my passwords in a password manager, so if I've forgotten anything, I can install the password manager and retrieve my passwords after I've crossed the border.
One thing that becomes much more complicated is two-factor authentication (2FA). I don't want to use something like Google Authenticator that stores keys on the phone, because then I won't be able to log in to anything if my phone is lost. Fortunately, I use a Yubikey for 2FA whenever possible. So long as it's not seized (Since I'm a US citizen, they'd really be stretching their legal authority to try), I should be able to keep using it. If not, I've configured my accounts to use a second Yubikey that I'll leave at home.
My process will look like this:
- A day or two before the trip, wipe my phone and start forwarding email to my US-only account.
- Use the EFF dice list to change the password of my US-only account to something I can remember (so that I can provide the password if ordered to do so). I normally use very long randomly generated passwords, so that even I don't know the passwords to most of my accounts.
- Reinstall with a clean US-only account. Install as few apps as possible.
- Install anything that will help with the trip itself: US contacts, trip itinerary, etc. (This information may be seized by CBP, but it's all easily discoverable anyway.)
- After crossing the border, if I need to do anything weird, reinstall my password manager and any required apps.
- When it's time to return home (and cross the border again), repeat this process starting at step 1.
This process should leave me with a phone that's not wiped and has as little information as possible, but it will still have enough information for the trip, and if I'm wrong, I'll be able to install anything else that I need.
One thing that needs to be mentioned here: I'm a boring white guy with a common American first name and a European-sounding last name. I'm also a former U.S. government employee who has been validated with Global Entry. The chance of me being detained or searched at the border is close to zero. I'm doing all of this only because it's good operational security practice. That is the ONLY reason that I'm willing to talk about this. I know that plenty of other people have similar concerns and are doing similar things, but their names are a little bit more strange, or their skin is a bit darker, so they don't dare talk about it publicly. Being able to speak freely about this is a luxury.
Comments
Post a Comment