Customs in the United States have become nosier every year. It makes one wonder how they can enter the country without surrendering their life by granting access to their digital devices. Wired put together a decent guide for dealing with customs. Of the tips there is one that I highly recommend:
Make a Travel Kit
For the most vulnerable travelers, the best way to keep customs away from your data is simply not to carry it. Instead, like Lackey, set up travel devices that store the minimum of sensitive data. Don’t link those “dirty” devices to your personal accounts, and when you do have to create a linked account—as with iTunes for iOS devices—create fresh ones with unique usernames and passwords. “If they ask for access and you can’t refuse, you want to be able to give them access without losing any sensitive information,” says Lackey.
Social media accounts, admittedly, can’t be so easily ditched. Some security experts recommend creating secondary personas that can be offered up to customs officials while keeping a more sensitive account secret. But if CBP agents do link your identity with an account you tried to hide, the result could be longer detention and, for non-citizens, even denial of entry.
I believe that I first came across this advice on Bruce Schneier’s blog. Instead of traveling with a device that contains all of your information you should consider traveling with a completely clean device and accessing the information you need via a Virtual Private Network (VPN) when you reach your destination. When you’re ready to return home wipe all of the data.
The most effective way to defend against the snoops at the border is to not have any data for them to snoop.
The other tips are good to follow as well but aren’t as effective as simply not having any data in the first place. But I understand that isn’t always feasible. In cases where you’re traveling somewhere that has unreliable Internet connectivity, for example, you will need to bring the data you need with you. If you’re in such a situation I recommend only brining the data you absolutely need.
The most effective way to defend against the snoops at the border is to not have any data for them to snoop.
Using steganography is a close second. If I have some large music files on my computer (my own music, so the border thugs can’t compare them to other copies of the same works), who can say whether they contain embedded information?
As fast Internet connections become more ubiquitous world-wide and cloud storage options become ever cheaper, the VPN-your-data option you mention becomes very workable, but it’s more appealing to me to whisk my data right past their ugly noses.
Certainly no one should approach a U.S. border, or even the border of some less repressive country, with their data hidden only behind a password that the government criminals can force to be invoked while holding the person captive.
The problem with relying on steganography is that it can still be detected. Today’s data forensic tools are very good at sniffing out data.
At best what can be detected is the likelihood that something might be embedded, based upon successive frames being more discontinuous than expected. Such randomness could also come from A/D conversion from a cheap sound card, or from actual hiss in the signal being recorded. Even setting those aside, with embed ratios (size of embedded data vs. the size of the container file) of, say, 1/16 and smaller, it becomes just about impossible to find a hint that anything might be stuffed inside.
To minimize the risk of suspicion, and increase embed amounts feasible, signal volume can be cranked up to near maximum, and music can be chosen that already has a lot of noise (dare I say — heavy metal? ;-j ). Embedding anything on top of a sine wave is probably a bad idea.
(There probably are cheap steg programs out there, that embed a fixed number of bits in every frame, no matter what the magnitude of the original signal. A more clever algorithm does not touch any silent portions of the data, or for that matter, any clipped portions either, since doing so advertises that something has been done to the original file.)