Travelling paranoidly to or via the US

General Chit Chat
#1

There’s been much noise lately about how it’s no longer safe to travel to the US with your devices, and that you should leave it at home. This of course ignoring the fact that US CBP agents have been able to seize your devices for years, and that there are documented examples of people (not necessarily the US govt.) using stingrays to get control of your phone in airports; it’s only now that they’re taking a publicised interest in your social media accounts.

As someone who’s travelling to the US later this year, I’m in two minds about this. Part of me is resting on the fact that I’m in the least-interesting-to-the-US-services demographic, but I’m aware that ones laurels may be comfortable but are at best a temporary perch.

It’s unclear to me whether I should travel with burner laptop and phone and create myself some kind of dead-drop in the cloud that contains the files necessary for me to get up and running again on the other side (gpg encrypted SSH keys, etc) or whether I need just the burner phone, or whether I should just stop worrying and travel as normal.

Thoughts?

(I am aware that I’m probably now on a watch list…)

2x04: Pie In The Hold
Limitations on what we can be asked when travellng
#2

Interested into why you think this. I’d like to think that being part of the Bad Voltage community instantly makes you a voice the whole world listens to and so on every watch list. I doubt this is really the case however. I’m assuming this was meant as a joke.

#3

Yes this is something to worry about especially with the current Administration. Granted, the border is a bit of a grey area since the Constitution stops applying there. But a part of me still feels outraged that even a U.S. citizen can be told to hand over all their digital devices or be detained just by trying to re-enter their own country. Not good for civil liberties at all.

#4

Exactly. I guess what I was getting at in my question was: just how paranoid are the travelling BV community going to be when it comes to events like SCALE? Will @sil travel with burner devices? Will @jonobacon do so when returning from overseas? Or is this a case of “I have nothing to hide…”?

#5

We had this subject on our list to talk about in the most recently released show, exactly because I’ve been worrying about it… similarly to @gmb it seems. I’m thinking of taking a burner phone, certainly, although the point of course isn’t that the phone itself is a burner, it’s that it doesn’t have all your data on it. I would like there to be some sort of technical solution somewhere in between “don’t do anything” and “buy a second clean phone and laptop and travel to the US with those instead”, but I don’t know of anything. I don’t even know a way to “back up” a phone such that I can wipe it and then restore everything to it later. Suggestions are invited.

#6

I’m currently wondering the same things. With a flight in the next couple of weeks I’m tempted to just not take my phone at all. My laptop has been long overdue an upgrade. So I’m wondering about doing the upgrade right before I go, so I’m starting with an essentially clean slate. I left a windows 7 partition alone on the disk though so I might just configure bash to automatically boot there? Not a great solution.

I’m also tempted to install a keylogger, and all kinds of other nefarious loggers. So if they do take my laptop I can then see what it is they did

#7

Since I posted this, I’ve been working out what my strategy should be. I’m in the happy (hah) position of being an Apple user for most of my devices, so I have iCloud backups for my phone.

Current super-paranoid strategy, then is:

  • Ensure back-up up-to-date
  • Switch as many 2fa things to using a security key as possible
  • Get backup codes for all the accounts that use google authenticator.
  • Encrypt backup codes using a GPG key that I’m only going to use for this journey.
  • Put backup codes & similarly-encrypted SSH keys in a DigitalOcean droplet that only I know the password for (or which has a one-time SSH key authorized for the travel laptop)
  • Ensure data I’ll require for laptop is backed up securely to the cloud, code pushed, etc.
  • Wipe phone & laptop before travel (if taking a burner, don’t need this step for the phone).
  • Having arrived, restore phone from iCloud backup (if not a burner)
  • Install apps I need on laptop.
  • repeat backup-and-wipe step before leaving, just in case

Granted, that’s a stupid amount of shit to go through. So I’ll likely not do it all, if any (besides carrying a burner phone). Again, I am in the least-likely-to-be-stopped group as far as the US is concerned, so I am probably causing myself massive inconvenience for no reason whatsoever. (This last sentence is rationalising laziness, I admit).

1 Like
#8

Here’s a question I’ve not had satisfactorily answered.

Let’s say I get stopped, asked for passwords, and I refuse. Does there need to be palaver about me being held for some unknown amount of time? Or can I just be resfused entry to the US and put back on a return plane?

#9

As you’re not a citizen, AIUI, you can simply be refused entry, put back on a plane, sent home. Do not pass Go, do not collect $200.

#10

I arrived in Atlanta a few days ago, with a lot of other techies and no reports of people being stopped, which was a relief!

1 Like
#11

They can just refuse entry. It’s quite likely that you’ll get to spend nine hours sitting in a grey basement room first though.

#12

Why? Why not just, say, email them to yourself or store them in your dropbox account or something? I don’t see what the benefit of having a whole server spun up to do this is. If they can demand the password for your email account then they can demand the password for the droplet too… unless the plan is to deny that the droplet even exists, which is walking quite close to the “don’t lie to border guards” rule that we suggested in the episode, so I wouldn’t do it…

#13

Unless they’re going to ask me to name all the servers to which I have access, I don’t have to lie to them; it’s simply there and waiting for me to use it.

Emailing it to a throwaway email is fine too, however — I did somewhat over-engineer this!

#14

Mm. This is the question of whether lies by omission are still lies. :slight_smile:

I wonder if there’s some sort of Android thing that does the equivalent of an icloud backup but to my own server? Obviously one can back up stuff easily, but I’m not sure that it backs up everything – apps you’ve got installed, the storage for those apps, your internal storage, the recent phone numbers, texts, etc, etc…

#15

If they don’t ask me what I had for breakfast, and I don’t volunteer the information, how am I lying by not letting them know I had three (count them ) Weetabix? All I’m talking about here is an extra security step of removing from my laptop anything which, if cloned, would cause a security hole. Not really sure where the lie is here.

#16

Now I suspect this whole thread was just for Weetabix boasting

2 Likes
#17

Temptation to register weetaboast.info high.

2 Likes
#18

I am travelling to SCaLE next week too and being super anxious about it now ever since I read some tech sites reporting on this subject.

I plan to travel with my Ubuntu Phone (currently my only phone, yes, I am one of the remaining ones) which I don’t think would impress much.

During the event where I have to present I might ask a colleague living in the US to lend me their laptop for the presentation and just not travel with mine which will suck a bit as I wouldn’t be able to do presentation polish during my 14hour flight to LAX.

Last, my surname is Russian (but was born and raised in Argentina/Canada), not sure if having a russian surname is a benefit or a bad thing given the current administration :stuck_out_tongue:

#19

I’m sorta fortunate here in that my laptop is not my main machine. So I don’t really have to clear it out; it’s already not got much on it. I don’t know what I’d do if I didn’t need that. Similar to my Android question above, I wonder if there’s some convenient way to bundle up all my computer (settings, config changes, files, everything) into one file I can encrypt and drop on a server somewhere, and then wipe the laptop (which I also don’t know how to do for Ubuntu, short of reinstalling from scratch) and then scp the big file down and restore it once I get to wifi on the other side…

#20

Some good thoughts on this subject from Aaron Gustafson: https://www.aaron-gustafson.com/notebook/crossing-a-border/

Please respect our code of conduct which is simple: don't be a dick.