Data at the U.S. border


UPDATES: Aside from the strategies listed below, here are some some other guides, resources and tips on dealing with your digital privacy in U.S. airports, or around any borders with paranoid state regimes…


The United States of America can now be fairly classified as a declining state in terms of freedom, liberty, speech and human rights. The Economist has downgraded it’s status to “flawed democracy” (late in the game). The White House is presently battling with the courts for the right to exclude entry to the country  from not just seven Muslim majority countries (bad enough as that would be), but the right to ban people of any nationality on the basis that they were born in one of these countries. It is the thin end of the wedge to enact President Trump’s promise of a complete ban on Muslims and a Muslim registry.

The Trump regime also plans to require foreign visitors to disclose websites, social media activity, and let American border agents copy data and contacts from their mobile phones as a requirement of entry. Plan ahead.

If you need to go to the United States, your rights may be at serious risk. But this is nothing new in terms of data. Department of Homeland Security agents were allowed (under President Obama) the authority to copy the your device hard drive at any point of entry into the U.S. But this will probably be put into greater practice in the coming days.

So, if you’re traveling to the United States, consider the following:

Travel tech-light. Leave your computer at home, or carry a wiped machine and/or mobile. Get a mobile after you arrive. Basic mobile phones and pay-as-you-go SIMS are easy to obtain (still) for cash in the U.S. See if you can use a local laptop after you arrive, and get into your accounts on the other side. The less you carry, the safer you and your contacts will be.

Encrypt your computer and your mobile hard drives. If agents are going to access it or copy information from a device, they’ll have to talk with you about it first. Switch your devices off before you land, for this to mean anything.

Log out of everything. Before you arrive at the border, make sure that nothing is syncing, updating or sending or receiving from your devices. Wipe all the local data in your browser. Don’t leave passwords, browsing history, cookie information or download history in your cache. Remove your accounts from any email clients you have set up. Wipe any access information. If agents want to access theses, they will have to ask you to log into each one, keeping everything they see transparent to you. Don’t leave clues on your machine as to what services you use.

Create alternate social media personas. This is more difficult to pull off than it sounds, but essentially it means creating fairly vanilla/bland social profiles that don’t include any social, political or other aspects of your identity you think may get you or others in trouble. It means keeping a smattering of contacts that you don’t think will raise your profile in a problematic way at the border. Honestly, this is how they™ win, but if you need to get from point A to B, then sometimes needs must. If you’re involved in an sort of anti-regime activism or opposition, then keeping that information containerized is just a practical reality.

Encrypt files locally and send what you need ahead of you. If you have someone on the other side you trust, encrypt the files and information you’ll want to use after you pass through the U.S. border, and send it to them. Use Veracrypt or pgp key encryption to secure the information locally.  Transfer it using a secure cloud service or a volatile, encrypted file-sharing service such as onionshare, or run FileTea through a decent VPN or Tor. Wipe it from your device, and re-install it when you get to your friend.

Encrypt your information and hide it in the cloud. Find a decent, secure cloud storage service. Export your confidential information and encrypt it locally on your machine. Rename your file as well (“pics_of_cat.zip”, “art_masters_thesis.tar” or so on). Store this in your cloud hosting service and make sure to securely wipe it from your machine. Get it back when you’ve got a secure internet connection after you’re away from the border control.

Set up 2-factor authentication on any accounts that have it available. If you’re asked to log into an account, this will give the border control agent and the Department of Homeland Security future access to that account. 2-factor authentication on many services allows you to monitor where your account is logged in and end those sessions remotely. It will let you know when and if anyone tries to log in from a different location.

Consider all accounts accessed at the border to be compromised. As a matter of digital hygiene, change any password that you use at the request of a government official. Update your passwords using stronger ones not similar to your compromised passwords.

Consider any device handed over to a border agent to be compromised. If a border agent takes your device and does anything you can’t visibly see happening, then assume the device has been infected with malware (spyware) and wipe it before using again. Dismantle it to look for physical tampering, if it’s taken where you can’t see it.

Such are the times in which we live.

— For a friend

Data at the border

Escape plan

I was in a charity shop in Peckham a coule of days  before the new year’s eve and was flipping through the pages of a history of MI9. There I came across a diagram of the Escape Knife (or, escaper’s knife). As I’d lost my trusty ol’e Leatherman due to some haste and stupidity on the way to the airport a while back, I was in the market for a new multitask tool thingamajig, and I also like things that come with a bit of history to them. Also, it just seems like we’re living in an era where having something on hand called an “escape knife” seems more handy. Image searching the diagram and name, though, tells me that things things aren’t in production any longer, and buying one vintage runs in around the £1,200+ range. So I’ll pass.

But I like the mandate of MI9, which was basically to help people escape or evade fascists by designing tools, researching technology and developing tactics. There still seems to be a need for these things.

Sort of like during the bulk of the 2000s, I’m hearing more people grumbling about needing to escape Trump’s America, though this time around it sounds like the real challenge for more people will be getting into the U.S., rather than getting out. But still I see people looking for ways to emigrate to Canada, Europe or even to UK for some reason, though I’m not entirely sure what they’re specifically hoping to evade by coming to Brexit Land.

So, first the bad news: There is no escape. We’ve all entered ‘The Man in the High Castle’ alternate reality together. The good news is that there is a wealth of how-to guides, manuals and resources created by and for people living or working in closed and closing societies on how to do any number of things, whether its communicating privately or anonymously, looking up information without leaving a data record behind, how to meet discretely, how to store personal information securely, how to detect if you’re being followed and lose who’s following you, etc. and etc. To learn how to do things things, the first thing you need to do is accept that you’re now living in an emerging closing society. It’s okay, you actually have been for a little while now, you just didn’t have a fluffy-haired soon-to-be-president, orange twat reminding you about it in a daily barrage of poorly-thought-out Twitter outbursts. Until now. Welcome to now.

You had been warned. Maybe you didn’t care because it still seemed like things were being run by people who could string a coherent sentence together. Maybe you took the warnings seriously, but didn’t think they’d ever apply to you. Apparently, when your side loses an election, they don’t switch off the massive, legal-grey-area global spy network when they pack up and move out.

“It is possible that I will end up living like the dissidents who I defended from foreign dictatorships for so long. I will talk in coded terms, as I have started to do already. Did you think it was a coincidence that I published an article about  Elijah Lovejoy, a journalist who sought freedom for all and was killed by St. Louis mobs, right before the election?” Sarah Kendzior

People who had previously felt like they were fairly garden variety mild political opponents to the establishment may now be qualified as proper dissidents. The First Amendment right to religious freedom might not really apply to some people for the next few years. If you conduct research in certain scientific fields, you may be under increased White House scrutiny.

The U.S. may not be closed, but it’s closing in. Here’s are some resources that may come in handy if you’re going to be on the wrong side of the emerging situation…

Digital

Surveillance Self-Defense Against the Trump Administration, by Micah Lee, is what is says in the title. Here’s a great tech starter for avoiding mobile and web tracking, securing your communications and your website (if you’ve got one). If your a Signal app user (hint: you should be), also be sure ro read Micah’s pro-tips on using it; This is the “missing manual.”

Penetration Testers’ Guide to Windows 10 Privacy & Security is for you if you are going to use Windows 10, not that I’m advocating that sort of lifestyle choice. Get ready to spend some serious time with Andrew Douma’s how-to post, which is far more readable than any actual Microsoft documentation might be.

draft_encrypt-email-guide-10-2016 is a group edited guide on getting into sending and receiving encrypted emails using PGP. It’s spearheaded by Matt Mitchell, who will be porting it to Gitlab and Medium once the gang are done fidgeting with it. However, it’s already far more readable than a number of other attempts. I’ll update the links here when it’s moved to it’s finalized home.

How can I use my mobile phone more securely? by yours truly, can help you get your mobile phone under control, or at least understand how little control you have. Remember: You have control over whether you carry it when you don’t want a record of your travels. You can control what you don’t say or type in it. That’s your control.

Data at the border is another one I hacked together, about the data you carry with you, and how to keep it from being exposed, through theft, confiscation, in a search, etc.

Physical

Surveillance Evasion, by Ami Toben at protectioncircle.org will help you understand what’s needed to evade hostile physical surveillance when traveling between Point A and Point B.

How journalists and activists can have a safer physical meeting with a source, by Security First Co-Founder Rory Byrne will show you how to have an off-the-record meeting with the aim of staying off all the records.

How journalists and activists can identify and counter physical surveillance, also by Rory Byrne, is similar to Ami Toben’s guide, though with some very different insights, offering a set up tactics and behaviors that can throw off a tail.

Is S/He an Informant? A Ten Point Checklist by by Ret Marut on behalf of activists allegedly impacted by undercover infiltrators in their groups is still going to be useful if you’re going to be organizing in 2017-2020 America.

Think You Can Live Offline Without Being Tracked? is a short FastCompany interview with various privacy experts, that will give you some idea on the near impossibility and/or depressing reality of trying to sustain such an existence for a long period of time, which is why I trend more toward episodic tactics and throw-away plans. Spoiler: When an article ends in a question mark, the answer is usually ‘no.’  The Lone Ranger lived his secret identity and had just the one friend. Don Diego de la Vega kept his anonymous Zorro persona compartmentalized and so could still throw swanky dinner parties. Be Zorro.

Plan, prep & test

Whether you are just one or some, you need to know what you’re going to be doing and what kind of trouble it could entail. These will help…

The Risk Assessment toolkit by Security in a Box is a good place to start.

The Secure Communications Framework by Tim Sammut remains one of my favourite guides to assess which tech and methods you should be using, and what kind of extra support you might need.

Risk Assessments and Communication Plan templates from Rory Peck Trust can help you articulate and keep a file on what the likely problems will be and how you’ll cope with them.

SAFETAG, developed by Internews, is a professional security auditing framework using a mix of penetration testing and risk assessment methods that are useful for smaller organisations and groups who face adversarial conditions.

You had been warned

All those warnings about the dangers of mass surveillance coming out for the last few years just got a little more real for a lot of people. Apparently, when your side loses an election, they don’t switch off the massive, legal-grey-area global spy network when they pack up and move out.

Trying to collect everyone’s data for analysis at any future time may sound like a brilliant idea to you. Think of the good that can be done! No. You can’t think of such a thing in terms of it being run by rational, decent people. You can’t think of it being run by people on your side. You have to consider it as if it were possible that such powers could be put in the hands of a maniac.

Many people supporting Hillary Clinton for president, and the re-election of President Obama before that, were eager to dismiss this issue. Both (along with many other Democrat and Republican leaders both past and present) were part of the construction of this machine, though. Soon it will be handed over to a President Trump, providing he can beat the upcoming rape trial and several other allegations winding through the courts and avoid being impeached.

This isn’t just an American issue, or about some constitutional rights that only apply to people on the right side of the upcoming Mexico-funded wall. This has to do with all the U.S.’ intelligence trading agreements.

Just let that sink in.

When Obama — with Clinton’s support — extended and expanded the reach of America’s mass surveillance project, most of his advocates were defensive, apologists, or dismissive about it. What does it matter? How does it effect you? many folks looked the other way while millions of people around the world were targeted based on “selectors” generated from some text they may have put online somewhere, a video they may have watched, photos they posted, or maybe just how their surname, language or national origin happened to feature on the computer screen of some NSA contractor. Lots of people thought it wasn’t a big deal. Many people may have even believed that, well, if they don’t have anything to hide…

This isn’t a warning, it’s a reminder. The warnings have been coming out for years, people just didn’t do anything about them. While the apparatus stay’s the same, its uses can and will change. The selectors can be altered. Other people may find all sort of things that they suddenly wish they could hide even if they can’t: Political affiliation, who their friends or family members might be, social interests, reading lists, gender identity, religion, race. What selectors will the new regime prioritize?