Land transportation and border securityCBP sesntivie information search policy is wrong, I

News continues to worsen for business travelers carrying sensitive information. In a ruling by the Ninth U.S. Circuit Court of Appeals (download PDF), U.S. Customs and Border Protection (CBP) was allowed to continue its practice of warrantless searches through computer data held by U.S. citizens and foreigners alike. With no cause or suspicion, the CBP may inspect, copy, or seize data devices carried by anyone returning to the United States. Jon Espenschied writes in ComputerWorld that he is not convinced that passive compliance is the best response to this situation. The CBP convinced the court that the doctrine of routine border inspections to “prevent terrorists and terrorist weapons from entering [the U.S.]” can rightly be served by searches for expressive thought and personal communication. In keeping with a common pattern in which privacy rights are eroded, the CBP used a child porn suspect as a test case — in which there was probable cause and reasonable suspicion based on other factors — to justify why probable cause and reasonable suspicion would be unnecessary for the entire traveling populace. The reaction has been swift and overwhelmingly negative; even the U.S. Transportation Security Administration (TSA) posted a message online distancing itself from the CBP’s actions. Business people in border states and working abroad, as well as casual travelers, now have reason to be nervous about taking a laptop, media player, or even mobile phone through a U.S. border inspection. Not surprisingly, advice on how to avoid or defeat the inspections is popping up all over the Internet.

Espenschied writes that there is a risk the CBP has overreached with this action. The risk is this: If the CBP fosters widespread collaboration against its actions, it is likely to be counterproductive for both information security and national security. For individuals and organizations, more security measures are necessary to protect against an apparently random new threat to data confidentiality and integrity, since the CBP has published no guidelines about how it inspects, seizes, retains or returns the data or equipment. For national security, random selection of samples might be a good tool for statistical information gathering or trend analysis, but useless for finding the proverbial terrorist needle in a haystack. “It’s simply the wrong approach for identifying risk,” writes Espenschied, “and because it comes at a high cost of individual rights, it follows that the practice of random search and seizure is then unreasonable.”

Much of the news coverage has approached this legally unproved idea from an accommodating perspective — including Computerworld’s article on steps to follow during a CBP inspection. However, widespread public consensus indicates that CBP data searches and seizures are prima facie unreasonable. It follows, then, that it is appropriate to fight back with encryption, obfuscation, and data-sharing technology which effectively hides anything of value either by blending into the crowd of other travelers and business people, or places it out of reach until one has safely entered the country. Espenschied writes that this may be problematic since he does not believe the searches are random. The CBP might have a protocol for identifying individuals, and it is possible that some CBP officers actually follow them. Since “profiling” has become a euphemism for racism, it is difficult to express the process by which dangerous people are picked out of a crowd. As a result, the process is inconsistent and opaque. “The rub is that anyone carrying protected or encrypted data becomes interesting, and there’s little one can do to mitigate that aside from being polite and unobtrusive,” Espenschied writes. Accordingly, anyone actually paying attention to legal information-security requirements, corporate policy, or personal privacy interests must assume that he or she is a target. “If the trend continues in this direction, anyone carrying any protected data — financial audits of outsourced partners, health care databases or disease profiles, remote business-unit travel plans, or field work of any kind — becomes subject to seizure and unmonitored rifling through their data.”

Tomorrow: What can a business person do