Coalition Slams DHS Plans To Demand Social Media Passwords

from the isn't-that-a-cfaa-violation? dept

Starting last summer, we noted that the Department of Homeland Security had quietly tested the waters to expand the information it requested of travelers entering the United States, to "optionally" include social media handles. By December it was officially in place. And then, just days into the new administration, the idea was floated to expand this program even further to demand passwords to social media accounts.

In other words: that escalated quickly. We went from "hey, maybe we could ask people to volunteer what their social media profiles are" to "hey, let's demand all social media accounts, including passwords" in, like, six months.

In response, a ton of human rights and civil liberties organizations have posted an open letter condemning this dangerous plan.

This proposal would enable border officials to invade people’s privacy by examining years of private emails, texts, and messages. It would expose travelers and everyone in their social networks, including potentially millions of U.S. citizens, to excessive, unjustified scrutiny. And it would discourage people from using online services or taking their devices with them while traveling, and would discourage travel for business, tourism, and journalism.

Demands from U.S. border officials for passwords to social media accounts will also set a precedent that may ultimately affect all travelers around the world. This demand is likely to be mirrored by foreign governments, which will demand passwords from U.S. citizens when they seek entry to foreign countries. This would compromise U.S. economic security, cybersecurity, and national security, as well as damage the U.S.’s relationships with foreign governments and their citizenry.

Policies to demand passwords as a condition of travel, as well as more general efforts to force individuals to disclose their online activity, including potentially years’ worth of private and public communications, create an intense chilling effect on individuals. Freedom of expression and press rights, access to information, rights of association, and religious liberty are all put at risk by these policies.

The first rule of online security is simple: Do not share your passwords. No government agency should undermine security, privacy, and other rights with a blanket policy of demanding passwords from individuals.

There are lots of reasons why the proposal is bad -- but the security one is probably the biggest. People should never share passwords with anyone, but most especially foreign governments who have no interest in protecting them. And the letter is accurate that this will just encourage other countries to do this back to Americans (and others) and create a massive security nightmare. And that doesn't even touch on the chilling effects created by such promised surveillance.

Of course, one hopes that this kind of insane policy will get people to recognize that passwords suck as a security system. At the very least, it should encourage people to use multifactor authentication that can't just be handed over to some random border control person demanding your passwords. But that's no excuse for DHS going down this path in the first place. It's a bad proposal that won't help DHS protect us, but will cause tremendous harm and create serious security problems.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    orbitalinsertion (profile), 23 Feb 2017 @ 10:18am

    Re: Re:

    While I appreciate and understand all your pointers regarding this, most people simply are not prepared to deal with them. The only "active" social media account i do have is a "dummy" already, but honestly i don't want to delete my chat logs. As for email, i have never used Hotmail or any of its later names under MS, and I use an email client, and don't leave things parked on servers.

    Mitigation against an omnipresent totalitarian regime is nice, and honestly, if i were doing anything the gov was actually interested in, i wouldn't use most services and have everything dummy accounts linked to burner devices and never use them near my networks. And sure i can nuke and pave hard drives, but that is a huge pain, especially for most.

    The thing is, we'd rather fight this ridiculous government intrusion than have to adopt measures that we surely would if necessary. (And in some ways, it has been necessary for some people for many years already.)

    It's great advice, and i and many others have given similar advice, especially in IT fora. But here you are kind of mostly preaching to people who already know, and are more interested in dealing with the faulty system than how to avoid having your private or business info and intimate conversations pawed over my officious morons. At least in this venue.

Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.