EFF and ACLU triumph as federal judge rules that warrantless, suspicionless device searches at the border are illegal

Originally published at: https://boingboing.net/2019/11/12/alasaad-v-mcaleenan.html

…

Not hardly. Take a few minutes to read the opinion, then compare what plaintiffs were seeking versus what they got.

Plaintiffs sought:

1. A declaration that these searches were illegal.
2. A nationwide injunction prohibiting CBP/ICE from conducting these searches without a warrant.
3. An injunction compelling CBP/ICE to delete the data they’d already seized.

What plaintiffs got:

1. A declaration that these searches were illegal to the extent they lacked “reasonable suspicion.”
2. No injunction prohibiting these searches.
3. No injunction compelling deletion.

It’s even worse if you understand the difference between a warrant and the “reasonable suspicion” standard. Put plainly, “reasonable suspicion” is bullshit. It basically means “the cops can search you just because they feel like it, and, if you sue them, then they will make up a ‘reason’ for the search after the fact, and a court will never, ever second guess that ‘reason,’ so you always lose.”

This outcome is somewhere between “a loss masquerading as a win” and “a total fucking disaster.” Don’t celebrate.

if this ruling, thin as it is, gets appealed to the current supreme court even the reasonable suspicion standard is liable to be tossed out too.

Masha’s Rule 3.

I was expecting CBP to just ignore this ruling, but it looks like they don’t have to!

I thought people didn’t believe in privacy anymore.

Yes, I’m sure now all their suspicions will be very reasonable.

Here’s how you can see it’s gotten really totalitarian

An immigration officer at Boston Logan Airport reportedly searched an incoming Harvard freshman’s cell phone and laptop,

I mean, if it was a UMass freshman or someone enrolling at a community college, I was prepared to give almost zero fucks. But once I found out it was a H-A-R-V-A-R-D student,my outrage knew no bounds.

Does the part where you don’t have to give them a password still remain true here? How did they get access to the phones?

Yes and no.

CPB/ICE has no legal right to compel you to divulge a password.

However, they have lots of ways to coerce you into divulging it anyway. If you refuse to divulge the password to unlock a device, they will likely:

1. Confiscate the device. You may never get it back, and, even if you do, you can never trust it again. Replacing devices is very expensive and inconvenient.
2. Detain you for a long time. At the very least they will make sure you miss your connecting flight and any other flight leaving that day for your destination. Again, very expensive and inconvenient.
3. Deny entry and/or blacklist. If you’re a U.S. citizen, they’ll put you on a list so that you get harassed every time you travel. If you’re a non-U.S.-citizen, non-LPR, they’ll deny you entry and put you on a list so that you can never enter the country again. If you’re an LPR, they’ll tear up your green card, then deny you entry and put you on a list so that you can never enter the country again. (CBP has no legal right to revoke LPR status, but they do it anyway, and it’s very hard to fight it in court when you can’t enter the country to go to the courthouse.)

On top of that, at least with respect to smartphones, it’s questionable whether the encryption will keep them out anyway. At least there doesn’t seem to be a smartphone available right now that can keep out the Celebrites of the world. (Smartphone encryption is a much harder problem than laptop encryption because (a.) the default state you need to support isn’t “off” but rather “on but locked”; (b.) you need to support answering a phone call from the “on but locked” state, which is going to require some access to stuff that should be encrypted (e.g., contact list, call log), but you don’t have time to prompt the user for a password; and (c.) touchscreens are a sucky means of input that make it really hard to use a password with adequate entropy.)

So… what can you do to keep your data private without CBP/ICE doing nasty things to you? I think the following is the best approach. For smartphones:

1. Root your phone.
2. Take a backup image.
3. Symmetrically encrypt the backup image and upload it to a file locker.
4. (If your phone isn’t already encrypted, encrypt it.**)
5. Flash a fresh copy of the stock rom, wiping data and system partitions.
6. Travel. If CBP asks, you can happily unlock your phone for them, since there’s nothing there for them to see.
7. When you reach your final destination, download the encrypted backup, decrypt it, and restore from backup.

For laptops, essentially the same deal:

1. Take a image with dd.
2. Symmetrically encrypt the disk image and upload it to a file locker.
3. (If the hard drive isn’t encrypted, zero write it.)
4. Fresh install OS of your choice, formatting drive.
5. Travel. If CBP asks, you can happily unlock your laptop for them, since there’s nothing there for them to see.
6. When you reach your final destination, download the encrypted disk image, decrypt it, and restore with dd.

(** The idea here is to overwrite the old unencrypted files with new encrypted versions that are unrecoverable once you discard the key. HOWEVER, when it comes to flash memory, wear leveling makes it hard to be sure something is really overwritten and gone. There’s no guarantee the new encrypted version of the file will be placed in the same flash cells that held the old unencrypted version. I’m not aware of any method for making sure an unencrypted file is really gone from a smartphone (short of desoldering the memory modules and interfacing directly with their controllers – which is hopelessly impractical). Your best bet is to turn on encryption when you first get the phone, so you never create any unencrypted sensitive files in the first place.)

This topic was automatically closed after 5 days. New replies are no longer allowed.