Tuesday, August 12, 2008

Again, On Laptops and US Borders

"According to the U.S. Department of Homeland Security (DHS), Customs and Border Protection (CBP) officers can confiscate and detain travelers' laptops at the U.S. border without suspicion of wrongdoing. Laptops can be taken to an off-site location for an undisclosed period of time, during which officials may examine the computer's contents and share copies of files with other agencies. This policy applies to any other form of digital or analog storage device, including iPods, cell phones, flash drives, hard drives, and tapes." (source)

"The key to the above paragraph, of course, is "without suspicion of wrongdoing." Indeed, in the policy (PDF), DHS says (emphasis mine), "In the course of a border search, and absent individualized suspicion, officers can review and analyze the information transported by any individual attempting to enter, reenter, depart, pass through, or reside in the United States."" (source)

Fun question that was brought by someone on a security mailing list: if your employer-owned laptop is "captured" by DHS, TSA or Customs AND it has regulated information on it (CCs, SSNs, PHUI, etc), do you have to report it as "data loss"? The chances of that info being lost are definitely much, much higher now AND the control over such data is clearly not in your hands anymore... Niiiiice.

Dr Anton Chuvakin