keeping passwords from the police

I have a thought experiment question. I don’t need this information, if someone asked me for my passwords I would surrender them.

But, as many of us know, Customs can seize our electronic devices at the border and demand our encryption passwords. Recent court cases require us to provide that information.

My question is: say I invent long difficult passwords, write them down and leave one copy in a secure place and take the other copy with me on my overseas trip. While overseas I use this secure password to lock my electronics and then destroy the copy I have with me. The password is so difficult no one could possibly remember it-and further I make no effort to remember it. I come home. I document these steps, say on a web page or a letter to my lawyer in such a way as to be able to convince a judge that I am telling the truth (lets just assume). The Custom agents detain me and demand my passwords. I asure them that a) I didn’t memorize the 128 byte random number, and b) the only copy is stored in a secure location within the US. Can they make me go get the password and return to the border to give it to them? I am not under arrest, just “detained”, and have committed no crime. Can I be compelled to actually do something as complex as traveling to a distant location, retrieving something and returning the the place of detention? I realize I lose my electronics-I don’t ever plan to travel overseas with anything valuable that might catch the eye of a government agent at the border!

Related question. Can I legally encrypt information overseas and transmit back to the US? Could I travel overseas, encrypt all the information on my electronics, transmit it back to the US, wipe the disk and memory, and simply tell the nice agents at the border there is no password because there is no OS on the device(s)?

My inexpert guess is that the Border Patrol would confiscate your device and you would be required to appear in court at a later date with the password.

As for wiping the drive; I can’t see any plausible scenario in which that would be illegal.

I’m not familiar with the law the OP refers to. what are the penalties for non-compliance? Are you held in contempt or is there a set penalty?


BTW, the easiest thing to do is upload the information via encrypted VPN connection (which I do understand is redundant), access it as required, and then delete. If you store it in an encrypted file on the FTP server, there’s never an issue of running afoul of customs.

Use TrueCryptand have a hidden encrypted area of the drive inside an encrypted area of the drive.

In my opinion would be easier to leave a desktop home turned on, and take with you a laptop having only the operational system in it, go to anywhere in the world and use the REMOTE DESKTOP FEATURE in Windows XP and access programs and data at will in the desktop. Note that that your computer can be accessed from anywhere, at anytime and function the way you want it to, and you can configure it to let only your choice of devices to access the desktop. You can use proxis, you can use encription, whatever makes you feel safe, and do not forget a good pc cleaner program to erase all temp files and registry after use, then when confronted with any arbitrary police force, all they would get out of the computer is an empty OS.
A good way to use out of the country, and maybe out of the reach, data storage, is to have one of those free email accounts with a big or unlimited storage space, from anywhere in the world, and you email attachments to yourself with all the data you want to have securely stored.
Privacy is a golden dream that got to be pursued at any cost.

There’s some existing case law on this (that may still be unresolved) regarding a suspected possessor of child pornography entering the US from Canada. He refused to divulge the password to decrypt the volume. (all of this is IIRC)

There was discussion regarding whether the demand for surrender of the password would violate his 5th Amendment right - after all, he would be providing evidence to prosecute him.

Thing that strikes me is… very few folks use crypto properly, and a good forensics lab ought to be able to brute force him (given time and processing power) - unless, of course, he did everything correctly. Beyond that we’re talking intelligence agency-level stuff (and both the law and the level of priority would eliminate involving them in this case).

Anecdotally, various firms I’ve worked with (I’m a security guy) have issued guidance that we encrypt the whole volume when traveling overseas and not know the password. The password can be recovered out of band once we’re safely past security checkpoints. In most cases, prudence would dictate that you bear a letter with your signature, a company official’s signature (residing in your home country), and that of the possessor password (also in a non-destination country) indicating that the bearer of the letter (and laptop) have no means to decrypt the volume, as they do not know the password.

Or you could become a diplomat and use a courier. :slight_smile:

Drop box. Laptop. Desktop at home.

You put all the files you want to keep private in dropbox. Your computer has the same dropbox contents in both computers. [I am thinking it is files of email, correspondence, pictures, anything in documents like spreadsheets and such]

You disconnect your computer, wipe drop box, delete it from your computer. As long as you do not log into drop box and reload it again until you need or want it, it is not on your laptop, just your desktop back at home. I have my i tunes and pictures in drop box, and when I travel I use an asus eeepc that has dropbox to synch my ebooks, itunes and pictures. If I thought I needed the privacy, wipe and restore the OS from a USB thumb drive I made for that purpose.

I never knew that you could be required to give your password at customs. So, related to the question at hand:

I am issued a laptop by the company I work for and it contains sensitive information owned by the US Government (or, at least, it is equipped to access it). Were I to go through customs could I be required to surrender the password to a laptop that is not my property and contains information that requires a US security clearance? (Let us assume here that I am traveling for work and leaving the laptop at home is not an option).

I was thinking along the same lines. My wife’s laptop has encrypted files on it that are protected by HIPAA regulations. Can Customs over-ride those protections if she chooses to do some work while vacationing in Vancouver, BC?

Unless you can provide written authorization, they will probably nail you for taking federal government data out of the country.

Nothing to add on the security front, because I simply don’t know.

On the human nature front though, I wouldn’t carry an “empty” anything.

I would load the thing with a few gigs of innocuous and meaningless files - maybe family photos, random videos of events (eg: car shows that I had attended), basically meaningless notes to myself and the like.

Stuff that doesn’t mean much of anything, nor in reality compromise my privacy in anything other than “know he knows what type of underwear I like”.

Why? An empty laptop would scream (to me) - “this guy is trying to hide something”, a laptop with low level personal stuff on it is gonna pass by as “normal” - with much fewer questions asked.

Just to clarify since as a computer guy I have seen these types of instructions end in tears.

Uninstall drop box
wipe dropbox storage folder