Would you let your smartdevices be copied by strangers? Your answer may determine your next device choice.
Recently a guest flying to a wedding in Israel was asked at his departure airport (outside Israel) for his smartphone, tablet and laptop — and passwords. Though not expressly declared the implication was that ‘security’ would take these devices away, access them and possibly copy them for subsequent analysis. In this instance the traveler acquiesced. But would you or even should you acquiesce? The implications are significant for individuals and companies and may even provide a decision point applicable to your next purchase of smartphone, tablet and laptop.
Some questions for you:
- if at the airport you were asked for your house keys, would you hand them over?
- if at the airport you were asked for your office keys, would you hand them over?
- if at the airport you were asked for your phone, tablet and/or laptop, would you hand them over?
- if at the airport you were asked for your phone, tablet and/or laptop AND their passwords, would you hand them over?
As Senator Charles Schumer (D-NY) recently put it (about employers asking for Facebook, email and other passwords): “Employers have no right to ask job applicants for their house keys or to read their diaries—why should they be able to ask them for their Facebook passwords and gain unwarranted access to a trove of private information about what we like, what messages we send to people, or who we are friends with?”
If you said to a security person “do you trust me?” you would expect the answer back “No: I am paid not to trust you” or similar. But why should you trust someone you have never seen before who claims to be ‘security’: why should you not say, in response, “Well, as I have never seen you before, why should I trust you?” Does a passenger to Israel (or anywhere else) have the legal right to refuse to give his passwords? No clear answer on this seems to exist.
In the absence of clarity on this point there seems to be only two ways to proceed:
- either do not take an devices when traveling
- or encrypt your data and applications so that the ‘authorities’, whoever these may be, cannot access your data and apps (or cannot access them without applying significant decryption resources and incurring associated costs).
This is not merely a personal issue (and it will protect if someone takes your device). It is also a corporate data+apps issue. Imagine, as can happen in the UK (q.v. http://www.constellationrg.com/blog/2012/05/if-police-can-read-your-mobi…) that the Police take an image of your smartphone or tablet or laptop, which might include something that could be used by another ‘institution’ (say the SEC or FBI or Bundesnachrichtendienst) at a later date in a corporate prosecution or other investigation.
Today it behoves corporations as much as individuals to encrypt in order to increase the price of access — and to discourage the causal data abuser (they do exist, even in security organizations) from exploiting what is not theirs.
As documented elsewhere (q.v. http://www.constellationrg.com/blog/2012/04/snatch-and-grab-iphone-theft…) my iPhone was stolen in Tel Aviv (though it could have happened anywhere). After almost 3 months I am now ready to a replacement smartphone (possibly new, possibly refurbished). Initially I was going to buy a Nokia Lumia 800 or 900 with Windows Phone (WP), but Microsoft’swooden-headed refusal to upgrade 2012-purchased smartdevices from WP7. 5 to WP8 (whenever the latter arrives) immediately disposed of any further interest in this option (q.v. http://www.constellationrg.com/blog/2012/05/iphone-theft-consequences-pa…).
iOS and encryption do not go together. This means that, with no iPhone, the incentive to keep the iPad further diminishes.
That leaves Android, specifically Ice Cream Sandwich — which has encryption baked-in as a system function option; or it might be a Linux-based phone — at least for a smartphone. Longer term, a Windows 8 tablet to replace an iPad1 (now that iOS6 will not run on a first version iPad) looks at least as attractive as an Android 4 tablet, because with Win8 you can use open source encryption products like Trucrypt.
With smartphone, tablet and laptop protected by encryption, preferably that which is separate from system login passwords (obtained where possible from a non-vendor source, because large vendors are all too vulnerable to pressures from the ‘authorities’), the fear that either personal or corporate data might reappear when least expected will largely disappear. Even better, encryption will mean avoiding having to challenge security personnel about their right to examine your property when traveling as well as reducing risks in case of thefts.
That said, a caveat is illuminating. Three years ago Israel Airports Authority Security took away a calculator for detailed, non-invasive examination while making the promise to return it within 48 hours. It was indeed returned within 48 hours (shipped by air, at the airline’s cost) — but the calculator was ruined. It had been opened and comprehensively trashed (hardly ‘non-invasive’). On a subsequent occasion a similar request was made to take away (again allegedly for ‘non-invasive examination’) a portable 750GB USB hard disk. When confronted with the story about the calculator ruination plus a demand that the hard disk should only be taken away once a prior written indemnity was given for $20K (for the software and data content on the disk) in case of damage, the need for examination miraculously evaporated.
The overall moral. Travelers and their employers need to become more savvy, careful and less forgiving of nosy authorities who seemingly are taking it upon themselves powers that are difficult to challenge when on the move. Encryption does not solve everything. But it can diminish significantly several risks and inconveniences.