What should I do to protect data when going across the US border with a computer?

From our related question on Security Stack Exchange:

tylerl’s top answer mentions EFF recommendations:

• Carry as little data as possible over the border.
• Keep a backup of your data elsewhere.
• Encrypt the data on your device.
• Store the information you need somewhere else, then download it when you reach your destination.
• Protect the data on your devices with passwords.

…US Customs policy giving themselves permission and responsibility to examine all incoming devices (and data on these devices), including computers, cell phones, etc.

…a number of cases of Customs officials placing monitoring/tracking software on transiting computers

…Finally, don’t forget the value of Truecrypt hidden volumes. The plausible-deniability is helpful when dealing with governments.

And I would suggest that these are not activities limited to paranoiacs, but should be followed by any business-person travelling to the US. I don’t take any devices with business data on if I can help it, and where possible I also avoid taking personal data.

You might be interested in reading this article. http://www.cba.org/CBa/PracticeLink/tayp/laptopborder.aspx

“Once at their destinations, employees work with data stored on company servers via secure virtual private network (VPN). (Secure connections are a must since, under certain circumstances, U.S. law permits interception of e-mail and remote server connections.)
Employees may download files to their computers, upload the results of their work to company servers and “forensically clean” their computers before traveling again.”

One possibility is to do a full drive encryption with some software like TrueCrypt. You can then store the key on a USB drive and have someone you trust send it to you once you make it across the border.

This way you are physically not able to decrypt the computer if asked/forced to. Make sure the thumb drive only gets sent to you once you’re safely across the border. The only problems in this would be if the government made a copy of the encrypted data and then intercepted the drive in the mail.

Another alternative is to have a friend encrypt the key and upload it to the cloud. They could then tell you the password once you’re safely in the US.

Although I wonder what could be so demanding to import an entire PC (a desktop) – I think there literally are no options if the CBP is bent on checking whatever you are bringing in to USA. Including the nuts and bolts that hold your PC.

I have shipped external hard drive(s) (VM images) in the past and FedEx/UPS had no problem delivering to and from third world countries. I have moved in and around the world freely with a couple of laptops in my backpack with no problems and no inspection at all (other than running them through the airport security scanners).

I feel at the maximum the CBP fellas will wanna inspect whats in the CPU tower versus what is in the hard disk. If the information isn’t a terabyte you could also temporarily move the information to a pen drive. I have never heard someone’s laptop of pen drive being perused for data.

Disclaimer: IANAL

Allegedly if CBP officers find something clearly marked as “business confidential”, they may not proceed without authorization of higher-ups.

Guidelines have been described in document DoHS’s document “Privacy Impact Assessment:
CBP and ICE Border Searches of Electronic Devices”. Seems that according to this if CBP officers would disclose any of your trade secrets, they’d still be legally liable.

However, if you don’t want to take chances with that, the recommended course of action is (for example for foreign lawyers):

• use high grade encryption and upload encrypted files to a cloud
• store (pass-phrase protected) encryption keys on small device (eg. microSD card)
• sanitize your computer deleting sensitive data and encryption keys
• download and decrypt your data as needed

Note, that this is going bit on paranoid side of things.

A random search of your computers seems very unlikely but what I read also suggests that you have basically no legal recourse against it should it happen. The only workable solution I am aware of is to upload the data somewhere and then download it once you are in the US.

Of course, this creates all sorts of new security issues (how to secure the transfer and server against whatever risks you are concerned about, etc.) but it would prevent border guards from accessing your data without doing anything illegal. I have no idea if many (business)people actually go to the trouble of doing it.