Watch this episode on YouTube.
Reasonably Accurate 馃馃 Transcript
Morning everybody. How are you doing today? In this episode of the show, we're gonna talk about physical borders and digital security. So there was a recent CBC news article around uh Toronto based lawyer Nick Wright, who came, uh was away from Canada for quite a while and then came back and when he came back and crossed the border, um and when he landed and, you know, to the customs and crossed the border to re-enter into Canada, he was asked for his passwords to his digital devices.
He refused Canadian border services, um then seized the devices and told them that they would attempt to brute force the passwords and search the devices at their leisure, um, and gave him a receipt for them and off, he went and of course, now he's in an uproar totally makes sense. That feels like a massive violation of your rights.
The problem is, and I'm not a lawyer yet again. I need that as like a permanent bar on this show underneath. You know, we've got the tagline, we've got the website mark NC A slash MWM and then the, the episode number uh or that's reverse probably. But what I really need is this thing saying, you know, hey, this guy may have some security expertise, but he is not a lawyer.
Um So not a lawyer, just some opinions from what I've seen. Um And really, I don't need to be a lawyer to communicate this to you because I think this is really fascinating. Um But here are the facts as I see them. Um And my opinion sprinkled on top, but the fact is when you are approaching a border, different laws apply.
Is this true globally? Um Now there are two main scenarios when you approach a border as a citizen returning into your own country. So it's crossing your own border on your own soil and as a foreigner approaching another country. Now, what people tend to forget is that you as a foreigner.
So if I'm a Canadian and I am going into the uh UK when I arrive on UK soil and present myself at the border, I am in a foreign country asking for permission to enter. Now, there are agreements between different countries about what that means and what different things are are around there.
But at the end of the day, you're a foreigner asking to come in, right? You're knocking on somebody's door. Can I come to your house, please? And they make the decision whether you can or can't based on uh their principles based on their guiding laws based on any agreements between your countries yada, yada yada, but almost every single border in this day and age has a huge amount of leeway for the border to search anything coming across.
And this is designed on its surface to stop contraband, to stop drugs, to stop weapons, to stop that kind of stuff coming across the country. But then regardless of what the reasoning is, most countries have the ability to pretty much search whatever they want that's crossing their borders. Now, the second scenario, the first scenario where you're a citizen returning back to your own country.
There are some exceptions and there may be some different um or additional protections on top of it. But at the end of the day, you're still crossing a border and the easiest way to think about this for all of us, non lawyers out there is that borders are essentially like uh you know, being in international waters um out at sea, there's not many rules, you don't have as many rights as you think you do.
So it's best to take precautions. Now, what I want to talk about in this episode of the show and what the article that I read really brought up to me uh is that people seem to be really bad at modeling their risk. So in this case, the lawyer said, uh I don't want you searching these devices because I have um solicitor client privilege information on there that you're not legally allowed to see.
Uh And of course, the Board of Services agency responsible as well. We've trained our people to avoid looking at that kind of thing. Let me tell you as a forensic investigator that doesn't fly, uh, it is extremely difficult to actively avoid something that you don't know is there. Um, and even if you do know it's there, you're not going to take somebody's word for it.
So the lawyer can't say, well, don't look at file named ABC D because that's under per client privilege. When in fact, that could be the a thing that they're, you know, in a malicious scenario, hypothetical scenario, they might want to be hiding from the authorities. So you can't actually not find this information.
Really. CBS A should say the policy is if this information is found out of professional training and courtesy that it is forgotten and excluded from future searches. Um But from a threat model perspective, and this is really what I wanted to dive into on this episode, was that a threat modeling perspective?
This stuff is really interesting knowing that the border is a basically no go zone is a gray zone um for your privacy and your sort of rights around um search and seizure, you should take that into account your threat model. And for this particular case, if the lawyer had sensitive information that they didn't want anybody else seeing encrypting those files to a really high degree where only he had the complex password um, if you wanted to try to risk that as far as, um, contesting not providing his password to those legal files.
Um, but again, in that case, you better have a different password for your systems that you do for your data access. Because I don't think, and again, I'm not a lawyer. I don't think that that would fly as an argument of like, oh, I have one password that covers everything so you can't see anything.
Um However you might, might and again, not a lawyer, you might have the basis for an argument if you said, well, here's my, my legal files are encrypted uh with a separate password that I will not provide you. But here is access to the rest of the system if you are looking for something in particular.
Um But far safer is just to avoid the issue altogether. Sanitize your devices before you cross the border. If this is part of your threat model, are you worried about this stuff? Well, then, uh you know, if you want to protect your data, don't travel across the physical border with copies of your data.
And I think people don't really truly realize the amount of risk the exposure they have for their smartphone or their tablet. These are wired up to pretty much every account you have in your life. So if you think about your smartphone right on your smartphone, you're probably banking, you've got your personal email, probably your work, email, a ton of photos, your social networks are all logged in and all this stuff is all actively logged in.
So if they give um if they get access to your core uh OS on the device, if they sign into your device, they probably have access to all this stuff right out of the, out of the gate, right? Unless you've added additional protections and saying like, hey use my face ID every single time.
So having this is basically a map to your life when you cross the border, are you willing to take that risk? Some people are, some people aren't again with everything in information security. I think you really need to make sure that this is an explicit decision now with the cloud services with the ability to back up data, um it's really easy to either sanitize your main device and then cross the border with it and then reload the data you need or better yet take a whole different set of devices on the go.
Do you really need all your data with you when you're traveling? So, uh I see this quite often when people go on vacation, they take all their, you know, their work phone or their main phone when they go on vacation. I'm like, do you really need that on vacation? Um Here's a great opportunity for a low cost sort of burner and just flip your SIM card over if you got a great plan or get a temporary one when you're wherever you are.
Um And then you can access your personal email if you need to and your photos. And then that way you've reduced your data footprint as you're crossing the border. Um Now again, this is not designed to help you hide information from the authorities or get away with anything. I think it's just a reality of you need to understand that there are certain risks and when it comes to the border, there are legal risks.
Um, because you're doing a physical transit into somebody's country or transitioning between countries back to your own. And that could now in this day and age because of the value of the information in your smartphone. Um, and the value, uh, to that, to all sorts of legitimate investigations that puts your personal privacy at risk and you need to take steps to potentially protect that if that's what you decide.
Again, no clear cut answer here and again, I'm not a lawyer. Um, but I think it's something you really need to think of. And that was the first thing that really hit me when I read that article about, uh, in CBC was like, wow, that person does not understand risk modeling for them not to understand.
And I realize border law is sort of, you know, uh, um, a fringe area of law that most lawyers might not touch but to not understand the challenges and the risks to their own information. That's, uh, that was disappointing to me because I think that's something that everybody needs to be aware of.
And if you're transiting across the border or if you're in a scenario where you're regularly exposing your data and if you've got your cell phone with you, you probably are, you need to understand the risks of carrying this little guy around, especially when you're crossing international borders. What do you think?
Let me know, hit me up uh at Mark NC A in the comments down below and as always by email me at Mark N dot C A. How do you handle crossing the border with all of your digital information? Do you worry about it? Do you take precautions? Uh let's share, let's all learn from this.
Uh I look forward to having this discussion with you and seeing you on the next show.
