DHS has decided that within 100 miles of the coast/borders of the United States of America is border territory, and anyone within those limits can be searched as if they were standing at a border crossing. Your laptop can be searched, and you can be asked to give up an encryption key, and open the laptop’s data.
“Well, that’s fine! I never travel overseas with sensitive data,” you say. No, sorry, was I unclear? That’s 100 miles INTO the USA. Standing in NYC? Washington, D.C? San Francisco? Norfolk? All border crossing areas, according to the DHS, and all areas within their purview for search.
Unless you are actually a badge-carrying agent, or your laptop has TS/SCI data on it, this could be a problem for you. Is it likely that a border patrol agent will simply randomly stop you, and ask for your encryption key? I should hope not. But much as the TSA has claimed jurisdiction over train travelers, and sent Viper teams to pat them down, if the DHS wanted to, under this ruling, they could access your electronic devices without your consent, with no more justification than your proximity to the U.S. border.
This is a clear violation of 4th Amendment rights, as others have argued, and a very clear violation of the right to privacy for people with sensitive data on their laptops, phones, thumb drives, external hard drives, and other devices.
I’m not suggesting it will happen to anyone randomly. But what if the DHS wants some information you have? Think about the information you carry around every day. Is it backed up? Is it private, secret, trade secret, intellectual property, or classified?
Unpleasant thoughts, eh? Technical tip of the week.: Truecrypt, with plausible deniability partition may be a resource you’ll want to check out. If you’re a cleared professional working for Uncle Sam, however, you’ll likely want to think twice before declining a search or encrypting in the face of a data request from DHS.
Joshua Marpet is on the Board of Directors of two Infosec conferences, BSides Las Vegas, and Security BSides Delaware. He is also staff at Derbycon, Shmoocon, and as the “InfoSec Megaphone”, anywhere else he goes. Joshua is an experienced Forensic, Incident Response, and mobile forensics expert and researcher. As an adjunct professor at Wilmington University, he teaches Information Security at an NSA/DHS certified Center of Academic Excellence. In his professional life, he is a managing partner at Guarded Risk, a proactive forensics and proactive incident response firm.