Tuesday, 10 January 2012

Death of electronic privacy

Hat tip to @nigroeneveld for these two articles which, taken together, I think point the direction America and the US will increasingly go when it comes to electronic data seizure. The first is about the increasing use of seizures at airports of laptops and data storage devices:

And nab gadgets they most certainly do. Johnston writes that last year alone, 5,000 devices were seized:

The Customs and Border Protection agency says the power to seize laptops is necessary to find information about terrorists, drug smugglers, and other criminals trying to enter the country. Of the more than 340 million people who traveled across the US border in 2011, about 5,000 had laptops, cellphones, iPods, or cameras searched.

The other is about an ongoing court case, trying to determine if you can be forced to give up your passwords for your devices in order to get around encryption:
In Colorado, a District Court judge is deliberating on whether Ramona Fricosu, accused of committing financial fraud, has to disclose her laptop password to decrypt the stored content.

Marcia Hoffman of the Electronic Frontier Foundation (EFF) is counsel for the defendant. She alleges that Fricosu should not be compelled to give up her password for two main reasons:

  • The government haven't specifically identified what they are looking for on the laptop. This makes it seem somewhat of an evidence-fishing trip.
  • Requiring disclosure of the password would breach her US Constitutional Fifth Amendment right against forced self-incrimination. There hasn't been any immunity offered for loss of this protection.
Differences in legal structures (Constitutional vs non-Constitutional) the desires of law enforcement agencies remain the same. Strong encryption grows easier and easier to impliment and it's now more or less at the stage that commercially (or even free) encryption is impossible to break using brute force means (unless you're happy to still be working on it when the Sun turns into a lump of coal the size of a fist). So the law will have to turn to compelling people to give up passwords or face a lengthy prison sentence and/or fines.

The problem for law enforcement is that this problem has already been fixed, some suggestions from the first of the two articles:

Resisting the government isn't a viable approach to protecting your data in these legal seizures. Johnston lists a few approaches that businesses are taking to keep trade secrets from such seizures:

  • Wipe laptops clean before you travel.
  • Move sensitive information to the cloud and retrieve it later.
  • Move information to a flash drive or external hard drive.

To which I would add three additional recommendations:

  • Encrypt whatever device to which you transfer sensitive information. All you have to do is poke through the lost & found at a transit station to realize that USB drives, at least, fall from our pockets like leaves from autumn trees.
  • If you travel frequently, consider buying a second laptop to bring in order to leave your personal computer at home.
These measures are all pretty reasonable, and very easy to implement. Cloud data storage would be my preferred means for a lot of stuff, but of course, there's always the chance that too could be pulled if someone had access to your laptop for an indefinite period of time and had your passwords.

So what do you? I'd recommend if you have to travel with data on your laptop you think about using TrueCrypt. Not only does it allow you to create an encrypted partition, it allows you to create a hidden partition within that which is also encrypted. So if you ever have to give up your passwords, you'll only be letting someone access your "safe" partition. From the outside, your average law enforcement guy is going to really struggle to prove there is a hidden partition.

I know it can sound paranoid to talk in these terms, but good data security can't be beaten. How many times could embarrassment have been avoided if Government laptops had decent security on them? Indeed, I've lost count of the number of times I've received emails at work along the lines of "A person who will remain nameless lost a laptop, so we're instituting a password system that means all passwords must be 85 characters long using a mix of languages, including one we made up just for passwords". My current password is absurd, in an attempt to comply with draconian rules.

And frankly, it should be difficult for law enforcement or anyone else to go rummaging around in your laptop or personal data. People's lives are so entangled now with electronic devices that pictures of the kids often sit next to confidential work emails, and no one has should have the "right" to take away your right to keep what's private private, unless they already have clear evidence of your criminality.

Or just don't travel.


No comments:

Post a Comment