As a general rule, all data on electronic devices, regardless of use, should be encrypted. Full disk encryption remains the baseline standard for laptops because it automatically protects all data and empowers the device owner to control access. Using BitLocker on Windows, FileVault on OS X, or LUKS on Linux makes it very difficult for an unauthorized person to access data after a laptop has been powered off.
Google, Apple, Blackberry, and other smartphone operating system vendors have added features to encrypt data stored on mobile phones and tablets. While implementation details differ, it is clear that vendors are starting to take privacy seriously.
Full disk (or full device) encryption is a critical first line of defence against unauthorized access. In addition to choosing a strong password for encryption, it is essential to consider the protection of backups. Device encryption on a smartphone means little if a backup of the device can be obtained.
Once a user surrenders the password to authorities, logs into the laptop, or unlocks the mobile phone or tablet, disk-level (or device-level) encryption obviously no longer protects the data.
Smartphone and tablet users must be cognizant of the fact that many applications store credentials and data is available as soon as the device is unlocked. This generally includes mail, calendar, contacts, notes, reminders, social media, photos, and cloud data storage applications. While it involves extra effort, one strategy is to log out of applications and remove service configurations so that no data is present on the device. In the event that it is searched, this will prevent the search from extending to data stored off the device in cloud services.
Another strategy is to ensure that all data is backed up and then reset the smartphone or tablet to factory defaults prior to travel. Cloud-based backup services offered by leading vendors may be ideal for this purpose. Upon arrival applications and data can be restored. This approach might be a bit intimidating to some users but it allows crossing the border with a device that can be fully inspected without compromising privacy. It’s the electronic equivalent of travelling with an empty briefcase.
Laptop users have several alternatives. In addition to full disk encryption, a second layer of protection is possible using encrypted folders or other containers. This allows some data to remain encrypted even when the user is logged in. But if government officials have the authority to demand the login password, one would assume they may also demand container encryption keys.
Some cryptographers have proposed schemes that involve sending decryption keys to their destination, thereby ensuring that the traveler is not capable of decrypting information while crossing the border. It is difficult to understand how choosing to transport data across a border in what is essentially an unopenable container will help the traveler. At minimum, it is likely that such devices will be detained for detailed forensic examination.
Some full disk encryption products provide hidden partitions and even hidden operating systems. One password may access the user’s normal operating environment, while another may access a complete different environment. However, it is likely that forensic techniques will reveal this deception and lying to border officials should be avoided.
A good strategy for most travelers is to leave their laptop at home or travel with a clean laptop containing minimal personal or business information. One way to achieve this is the traditional process of wiping and re-imaging the laptop drive. Free applications like DBAN are available to wipe hard drives, and most SSD manufacturers offer software to erase all data on their products. Commercial software is also available. Businesses with IT departments may find this fits well with their existing processes.
While travelling, files and emails can be retrieved from, and stored to, cloud providers. While data holdover issues may occur, they can be minimized by using proper overwrite procedures and applications such as BleachBit to clean the computer and free disk space.
Live distributions (often called LiveCDs) may be an appropriate data privacy strategy for some travelers. These free systems allow booting directly from a DVD, USB stick, or memory cards. Changes to the file system are held in memory and are automatically discarded when the laptop is powered off or rebooted. Browser histories, files, and forensic artefacts simply no longer exist.
Some live distributions, like Tails, are privacy oriented and include features such as web browsing via Tor. Others focus on more general desktop functionality. Users can store files on additional memory devices if persistent data is required. Live distributions can be used in addition to a traditionally installed operating system by selecting them from the boot menu. Alternatively, hard drives can be removed from laptops or used only for carefully contemplated file storage.
While live distributions may be perfect for travelers who need email and web access, and are comfortable using free Linux applications, they may not address the needs of users who wish to install and use their favourite applications while travelling. Rapid freeze and restore software may be an alternative to wiping and re-imaging laptop drives before and after each trip.
Rapid restore software was originally designed for kiosks, computer labs, and educational environments, but is gaining traction in other areas. Products such as Deep Freeze from Faronics and Drive Vaccine from Horizon DataSys are intended to rapidly return a computer to a baseline configuration. They are designed as an alternative to re-imaging on a per-boot, on-demand, or scheduled basis. However, they are not designed or intended to prevent leaving artefacts that could be retrieved using forensic techniques and therefore should not be relied on to eliminate sensitive information.
Finally, all travelers must contend with the fact that border officials have broad powers to search and detain goods, including electronic devices and data contained on them. It is possible that taking privacy precautions such as wiping hard drives or travelling with a factory default device could be mistaken for having something to hide instead of simply exercising one’s right to leave business and personal data at home. Travelers should ensure that contingency plans are in place to support their IT requirements if electronic devices are detained by border officials and not promptly returned. Individuals with concerns should consult with their lawyer.
Have a security question that you’d like answered in a future column? Email firstname.lastname@example.org.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…