Laptops

Should I leave the laptop at home? That should be a policy decision

Business travelers should consider what electronic devices they really need when crossing international borders and leave anything they DON'T need back at the office or packed in checked luggage. With the new rules, border agents can download any of the information contained on your device, or simply confiscate it.

On April 23rd I wrote about the Ninth Circuit court and their decisions about what is considered private and what isn’t. Today a new voice weighs in.

The Association of Corporate Travel Executives is now warning its members to limit the amount of proprietary business information they carry on laptops and other electronic devices because the government can seize that information at United States border crossings.

Is it just me? Or are we all feeling a need to don a tinfoil hat in our homeland U.S.?

It doesn’t help that the case that is the focus of this ruling involved child pornography. I think that the material draws attention away from the real issue at hand. Regardless, we have learned a lesson and hopefully an understanding of what must change as we carry information around.

Specifically, the ACTE is worried that corporate information can be downloaded by border agents. This can lead to potential security breaches and exposure of supposedly private data. And if you think that the devices that could be targeted are limited to your laptop, guess again. They can confiscate PDAs, cell phones, USB devices and digital cameras. And they DO confiscate them.

Business is slow to understand that their private information may be downloaded to a secondary device with little to no oversight . But they are getting the picture and it isn’t pretty.

I used to fly with up to 60 open projects short-cutted from my desktop. Now I wouldn’t get on a plane carrying a laptop that I hadn’t freshly formatted. I would use an online secure storage provider. Tech Republic’s Michael Kassner gave us a look at one provider called Iron Key that will store your private information online and requires only an encrypted key to access the data. Sounds like a good way to go.

Here’s some input from PCWorld:

In February, a lawsuit was filed in U.S. District Court in San Francisco by the Asian Law Caucus (ALC) and the Electronic Frontier Foundation (EFF). In the legal filing, the two groups asked the court to order the DHS' Customs and Border Protection (CBP) division to release records about its policies and procedures on the "questioning, search and inspection" of travelers entering or returning to the U.S. at various ports of entry.

On May 8th, both organizations and nearly 30 other civil rights and individual privacy rights advocates are submitting a letter to lawmakers asking for a Congressional oversight hearing on the issue. The letters are being sent to the House and Senate Judiciary committees and to the House and Senate Homeland Security committees, said Marcia Hoffmann, staff attorney for the EFF.

"I think that (Appeals Court) decision has focused this issue for us," Hoffman said. "The courts certainly are not stepping in to act as [a] check to abusive searches. On top of that, it has been difficult getting information from the DHS on such searches.

"We hope members of Congress will look into this and force the DHS to disclose information on what its practices [are]. Ideally, it would be wonderful if Congress would pass legislation to put some safeguards for travelers," she said.

The issue leaves business in the position of needing to re-classify information. It is no longer “simply” a case of Internal Use, or Confidential. It has become “May travel, May not travel” as well. And this should have business thinking of new and better ways to connect to information on the road.

How do you protect your business travelers when they cross borders?

More information:

ACTE Press Release

FindLaw

30 comments
jdclyde
jdclyde

Linux, with the gui NOT autostarting, and USB ports turned off in the Bios. Until it is clear who is looking for what, and what safeguards are put in place to protect your data, either don't carry the data or make it as difficult as possible for them to access the system. A great reason to have a VPN back to the home office where the data is stored.

Jaqui
Jaqui

that would destroy the US economically. do not do business with a US based firm, since that is where the assault on privacy is based. global depression then, since the destruction of the US economy would also destroy everyone else's. But it would also force a divorcing from any monopoly, or of having one country's currency as the one for international trade.

Tig2
Tig2

I'm so glad that I don't travel for business and that I have other ways of getting from point A to point B without getting on a plane. But the reality is that I will have to deal with the rules of international flight again in my lifetime, regardless of what I may think of that. As we go about living in the post 9/11 world, we are constantly brought face to face with the things that have changed. Airline travel certainly has, and not for the better. The ability of a customs agent to download anything they wish from my laptop is disturbing. The fact that a customs agent is free to confiscate my personal electronic devices on a whim is even more disturbing. That from the viewpoint of a private citizen. If the items being confiscated belong to my employer, there is another issue. I take seriously the requirement to safeguard information entrusted to me by my employer. But if the agent at a border crossing is free to download that information I can't safeguard it. Better to have it stored elsewhere. Until they decide that they should have reasonable access to my off site storage, any way. Are we going too far in the effort to control information?

Levi Miller
Levi Miller

No GUI won't help... It will likely make it worse. From stories I've read regarding UMPCs and small laptops (MacBook Air, etc) having something out of the ordinary confuses airport security and makes them suspicious. Granted the folks at the counter won't be able to get your data if you do as you suggest, but once they confiscate your laptop and send it to their computer forensics guys it'll be available.

Oz_Media
Oz_Media

That'll happen. :) Jaqui, as I mentioned before in this thread, don't you think that busienss owners should be even mroe concerned that there is a greater risk of targeted personal theft of these devices by competitors? I've seen more than one sales rep lose a laptop to a competitor at a convention. People will go to great lengths to get such data, it takes a few minutes to copy what they need and then they can even become the good samaritan and return it to the company they stole it from. "I found this under a table at the trade show!.....Oh no that's no problem, you're welcome, anytime...don't mention it" But if someone with no interest in the data at all, or a one in a million chance of actually wanting your notebook data, is alowed to look at it, then it's "the world will stop turning and my rights are beingn breached and I can't do my job and the government can't be trusted and...." yada yada, the whine goes on. Why do Americans get so upset when they feel they are being infringed upon, ignoring the fact that there is a far bigger and mroe realistic security risk to that data already, which is conveniently ignored to whine about freedom and rights instead. Loosening laws like this just helps protect the offenders that make that country so unsafe to begin with. if you can't infringe on anyone's 'comfort zone', how can you catch offnders? I say strip search each and every American when they leave teh hous ein the morning, when they enter and leave the office each day, before they get on a bus, airplane, train or anything. Maybe they'll begin to understand that all tax paying people with good jobs are not all good people. They seem to feel that it's okay if you stop ONLY the bad guys but you can't impose such searches on themselves. It's such a sensless position for paranoid Americans to take, if the bad people didn't look just like you and I, we wouldn't have this problem, unfortunately they do look just like anyone else, so how do you stop them without imposing on others?

info
info

I read some of the posts on the issue and in my opinion this ability of agents to download and confiscate information and devices will be a killer to US tourism industry for one, secondly it might mean for the US that your guys will have to travel elsewere if you want to do business with other countries. I do understand the need of security and law inforcement, but what about freedom? Are we talking about freedom from being freed of your rights here? All I can say is good luck, and God speed and all that. I hope you'll get the situation under some control. When I'll cross US border in the future, I'll make sure not give any possibility to either confiscate anything, nor download any information, as information will stay at home. For business however there will be no going to US, because there are possibilities of doing business with other countries, that do not impose such information control upon others. Finally to answer my view upon question asked by TiggerTwo, above... You are lightyears beyond just controlling information at this stage. Sorry guys, but the free US resembles actually a police state.

TonytheTiger
TonytheTiger

the answer is going to end up being to simply access everything through a home or company vpn. Then there is nothing [b]on[/b] the laptop.

Oz_Media
Oz_Media

You are right, better to not leave the office/network with really sensitive data anyway, but it has ALWAYS been that way. For some reason, people have forgotten how loosely protected these devices are and allow employees to roam the world without a concern for the data they carry. The most LIKELY problem would be theft, from a conference etc., where competitors are eager to get to these devices. THAT theft would be important to protect against because these people WANT your data. If a customs agent was to download your custoemr database, what are the chances it would ever be used? Is there not greater likeliness that someone at a convention would 'purposely' steal your device and use the data against your company? I think the threat of portable data security is far more in depth than border crossings, lets not forget that there are much more interested, prying eyes in our day to day activities already.

NotSoChiGuy
NotSoChiGuy

...that most of the people 'safeguarding our borders' are little more than Doy-da-Doy rent-a-cops who before they were hired in at $10 per hour or whatever, were sitting at home munching on stale cheetos, sipping flat RC and watching movies. And what did they see in those movies: hackers/criminals/terrorists using every imaginable OS interface ASIDES from Windows!! "Me Security. Security no understand prompt thingy interface. It bad. You bad." And yes, I've had a bad airport security experience! ;)

Jaqui
Jaqui

that my comment would never actually happen. full strip search of everyone, in every country of the world, every time they go through a doorway. end of terrorism, armed robbery, murder .... to bad that would never happen. after all, people think they have rights, other than the right to die.

Oz_Media
Oz_Media

In 2002 I applied that policy at an office I worked in, data was not securable when on a users laptop or PDA. This is security 101, why would it be a daunting issue in 2008? Any company stupid enough to allow "sensitive corporate data" to be toted around to trade shows, conventions, sales trips, etc. deserves to have their data placed on a free, public website. The airport is the least of your worries, you have a much greater likelihood of a competitor or customer stealing it from you.

JamesRL
JamesRL

From the days when I used to do desktop security, I'd say that the airport itself is worse for risk than the security checkthrough. It is known that there are rings of people who stalk major airports, looking for people who are less than attentive to their laptop bags. They scoop and run. Afterall many laptop bags look alike. Obviously since 9/11 it is more difficult for these people to operate, but I've heard they still do. I would worry about laptop theives in the airport more than a customs agent downloading stuff. James

veronaa
veronaa

He knocked the country for a loop on 9/11 (I was across the street in my office that morning), and half the U.S. citizens seem to think that the solution to fighting him is to burn the Constitution! Another "victory" for him. In March my wife made reservations for me and used my nickname instead of my full first name. When I checked in at the airline desk to check my bag, the clerk notified me that I would be subjected to a full search at the security point. Yet, even though they nearly strip-searched me, my laptop ran through the xray untouched by human hands. This was at Newark airport, where the TSA workers are treated like crap, both by the mobs of travelers and apparently their management. On the return trip, in Milwaukee, it was all smiles and Wisconsin accented happy talk! Same ticket. Same name difference! In 2003 on a return flight from Paris, I was sent to a court-like room by the Newark customs agent. After sitting there for almost a half hour, I was declared safe to re-enter my home country of 58 years by the three judgelike persons on the high bench, with no explanation for the delay. As a frequent flier between Newark and Boston and D.C., I've never had a problem other than the occasional request to scan my bag, computer and all, with the little drug test swabbing. We are now guilty until proven innocent when ever we venture outside our homes.

jdclyde
jdclyde

I would love to hear your first hand experience, as long as we get a resolution. My worst was coming back from Colorado for my Grandpappies funeral. my step dad, my sister, and myself flew out there, my mom was already there. She had already been out there when this happened, so already had a train ticket for her way back. At the last minute, my step dad bailed on his plane ticket and rode the train back with mom. I had already been cleared through security when they discovered my step dad was a no-show. That threw up a security flag, so I had to stand there for 30 minutes while they tracked down my bags (that had already been processed) and brought them back for inspection. They then did the complete search of everything I had, but it was just clothes and odd things of Grandpappies that I had taken. (he was a pack rat, so it was all useless crap with nothing but sentimental value) I was allowed to pass, after a long delay. Yeah, they checked my shoes....

JamesRL
JamesRL

And like Toronto, you go through US customs agents at the Vancouver terminal before you leave the country. Those agents (who are american citizens and employees of the US government)are pretty thorough. Much more on the ball than the screening counter people. But they rely on the screeners for the xray of the bags etc. James

Oz_Media
Oz_Media

That's an oxymoron. Airport seuriy in Vancouver, consists of foreign men and women, approx.16 -60, mainly Phillipino and East Indian. Absolutely NO actual security training at all, they sit in the customs area and read a book. When a problem aries they simply call the RCMP in the terminal. The RCMP will turn up and tazer you repeatedly, no questions asked. They are just eyes, when not reading a book. For a hair over minimum wage, about $9.00/hr what do you expect? But as far as terrorists are concerned, while they many come to the US THROUGH Canada, it is US agents that allow them to enter the USA, not Canadians. So we just need the ability to read them a story while they wait I guess. :) "Now just sit there Mr. Hussein while I read you the story about Johnny's trip to the candy parlour. Now be nice or I'll have to hit you with my book until the RCMP tazer you to death!"

shardeth-15902278
shardeth-15902278

"Airport Security, it's not just a job, it's the authority to cop a feel..."

Oz_Media
Oz_Media

If you needed a full strip search every time you walked through the door, it would sure boost support for my nude weekdays campaign. :D

TonytheTiger
TonytheTiger

but I think we're getting close to the point where company laptops need to be no more than portable thin-clients, eliminating a lot of risk as well as expense.

shardeth-15902278
shardeth-15902278

I don't think they are so much afraid, as distracted. The majority seem to have forgotten that it is a (representative) democracy, that THEY are the govt. They've invested so much in radicalism (Liberals vs. Conservatives...), that they have sacrificed rationalism. And personal responsibility.

Oz_Media
Oz_Media

I agree, as I have said all along, I think competitors and people who want to sell data to competitors are a far greater threat than some $9/hr border guard clown who can't get a job at 7-11. I know many people who have had portables stolen at conferences and trade shows, they sometimes turn up again but you never know what has been stolen from it. THAT is reason enough (or should be anyway) for any company to restrict which data is taken outside the office. Other than that, theft of company computers is WAY down now. I have a few RCMP friends and after a recent break in at a customers office I was asking about computer theft (they didn't take any of the computers, just warehouse stock). I was told that most company break-ins (we are not talking targeted break-ins for competitive info)don't have any computer theft these days as there is no monsy on the black market for used PC's anymore. So unless, as you cited, there is a targeted theft for competitive info they don't usually bother stealing PC's when they break inoito offices these days. Keeping the data IN the office network (even if data is stored offsite)has always been the best idea. This whole idea of people wandering the globe with highly sensitive company data [i](and again, I think many companies put way too much pride in their data that most people don't want anyway)[/i] is just poor security on behalf of the company to begin with. I worked for one company that insisted on PKI and other scurity standards for all the company data, not recognizing that they BOUGHT their contact list from a major BC contact list provider, the names and numbers are obtainable by anyone. It was only the notes and customer history that was of any importance, but even that was no brainer info and nothing worth anything to anyone, even competitors. They were trained to be paranoid by the media attention at the time, I don't think they worry about it anymore though.

jdclyde
jdclyde

the bastards in the ACLU have gotten the stupid and weakminded to think that it is somehow unfair to single out people that are a higher risk, and so we CAN'T openly profile. When everyone in the ACLU dies of syphilis, the world will be much better off.

Oz_Media
Oz_Media

Yes, but they don't have ridiculously stupid guidelines for doing so. You will find security very tight at Gatwick but they actually profile and use trained security to carry out such checks, leaving most of us 'normal' folk alone. I find the US customs guards are simple, untrained and uneducated as to what thehy are seeking. They stop people just for the sake of stopping people and wouild let 10 fundamentilists with RPG's wander through the border while stopping a nun. Yes, just like a bad satire movie, they have no clue what they are seeking other than those they deem "Anti-Americans".

JamesRL
JamesRL

The stories that I hear from the late 90s is that the sales of laptops from senior execs were for 10s of thousands of dollars. People would determine who the owner was, and look for a competitor. I could also relay knowledge of a theft of three laptops from the trunk of a salespersons car while three people who were working on a $300,000,000 deal were at lunch. Do you think they won the bid? By the way, on the plane ride home I happened to see a glance at someone's olympic promotions. I wasn't looking, but someone in the row front of me pushed their seat back, causing the person beside me to push into my space and I was trying to glare at them. I saw some stuff that was confidential I am sure. Planes aren't the greatest place for privacy and people would do well to keep that in mind too. If I was malicious, I could easily have called her competitor. As it was I think she represented her company poorly from her manners. She had the front row and already had more legroom than anyone else on the plane. James

jdclyde
jdclyde

doesn't try the same thing? And I was actually referring to computer security more than government security. I would bet our security is still lax compared to flying in and out of the UK? Or don't they check anyone?

Oz_Media
Oz_Media

I just don't fall into that mould at all now. I guess I am definitely not cut out to be an American, there's no way I'd let the government or media instill fear in me, no way, not a hope in hell. Even if there was a terror 'scare' like when Bush got millions of Americans to fear anyone with brown skin (justifies them killing innocents as well as terrorists), I still wouldn't buy into it. I'd just carry on as always, guess it's the Brit in me, I don't live in fesar and would never do so because my government told me to.

jdclyde
jdclyde

There has always GOT to be a big security scare about something or another, or companies would not be frightened into spending so much on all the security products out there. Now, run along and be afraid.... We can get more money out of you that way....

Oz_Media
Oz_Media

It's been a while since I was in charge of network security, even then I wouldn't let users travel with sensitive data on notebooks or portable devices. It was ALWAYS a matter of providing a secure web access system instead. To see a bunch of people getting fired up over having customs officers check laptops but seemingly not care about the higher likeliness of theft of the same data is a bit odd. As you said, airports are a target of such theft (perhaps not for the data as much as the hardware itself though) and I have seen it at tradeshows (purposely to obtain sensitive data). Companies aren't concerned about theft of their data, it seems, but a government agent having the ABILITY to check data is need for concern? Yeah, sure. :p